CVE-2026-0916 identifies a stored Cross-Site Scripting (XSS) vulnerability in the 'Related Posts by Taxonomy' WordPress plugin developed by keesiemeijer. The flaw exists in all versions up to and including 2.7.6, specifically within the 'related_posts_by_tax' shortcode functionality. The root cause is insufficient input sanitization and output escaping of user-supplied attributes, allowing authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code into pages. This malicious code is stored persistently and executed in the browsers of any users who visit the compromised pages, potentially leading to session hijacking, privilege escalation, or data theft. The vulnerability requires authentication but no user interaction to trigger the payload once injected. The CVSS 3.1 base score is 6.4, reflecting network attack vector, low attack complexity, privileges required, no user interaction, and a scope change with low confidentiality and integrity impacts but no availability impact. No public exploits have been reported yet, but the vulnerability is significant due to the widespread use of WordPress and the plugin's popularity. The issue highlights the importance of proper input validation and output encoding in web applications, especially in plugins that accept user input for dynamic content generation.

For European organizations, this vulnerability could lead to unauthorized script execution on WordPress sites using the affected plugin, compromising user sessions and potentially exposing sensitive information. Attackers with contributor-level access could leverage this flaw to escalate privileges or conduct phishing attacks by injecting malicious content. This could damage organizational reputation, lead to data breaches under GDPR regulations, and disrupt business operations relying on WordPress-based websites. Since WordPress is widely used across Europe for corporate, governmental, and e-commerce sites, the risk is non-trivial. The vulnerability’s stored nature means that once exploited, all visitors to the infected pages are at risk, increasing the potential impact. Additionally, the scope change in the CVSS vector indicates that the vulnerability affects components beyond the initially compromised privileges, potentially impacting a broader user base.

Organizations should immediately update the 'Related Posts by Taxonomy' plugin to a patched version once available. In the absence of an official patch, administrators should disable or remove the plugin to eliminate the attack surface. Implement strict role-based access controls to limit contributor-level permissions only to trusted users. Employ Web Application Firewalls (WAFs) with custom rules to detect and block malicious script injections targeting the shortcode parameters. Conduct thorough audits of existing content for injected scripts and sanitize or remove any suspicious entries. Additionally, enable Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts. Regularly monitor logs for unusual activity related to shortcode usage and user input. Educate content contributors about safe input practices and the risks of injecting untrusted content. Finally, maintain a robust backup and incident response plan to quickly recover from any successful exploit.