CVE-2026-0916 identifies a stored cross-site scripting vulnerability in the 'Related Posts by Taxonomy' WordPress plugin developed by keesiemeijer. This vulnerability exists in all versions up to and including 2.7.6 due to improper neutralization of input during web page generation (CWE-79). Specifically, the plugin fails to adequately sanitize and escape user-supplied attributes passed to the 'related_posts_by_tax' shortcode. As a result, authenticated users with contributor-level permissions or higher can inject arbitrary JavaScript code into pages. These scripts are stored persistently and execute whenever any user accesses the compromised page, potentially allowing attackers to steal session cookies, perform actions on behalf of other users, or manipulate page content. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting a medium severity level. The attack vector is network-based with low attack complexity, requiring privileges but no user interaction. The scope is changed as the vulnerability affects other users beyond the attacker. No patches or exploit code are currently publicly available, but the risk remains significant for sites using this plugin without mitigation. The vulnerability highlights the importance of proper input validation and output encoding in WordPress plugins, especially those processing user-generated content or shortcode attributes.

The primary impact of CVE-2026-0916 is the compromise of confidentiality and integrity for WordPress sites using the vulnerable plugin. Attackers with contributor-level access can inject malicious scripts that execute in the context of other users, potentially leading to session hijacking, theft of sensitive information, unauthorized actions, or defacement. While availability is not directly affected, successful exploitation can undermine user trust and site integrity. Organizations relying on this plugin risk exposure to targeted attacks, especially if higher privilege users or administrators view the injected content. The vulnerability could be leveraged in multi-user environments such as editorial teams or community sites where contributors have posting rights. Although no known exploits are reported in the wild, the ease of exploitation and the persistent nature of stored XSS make this a credible threat. The scope of impact extends beyond the attacker to all users who access the compromised pages, increasing potential damage. This vulnerability could also facilitate further attacks such as privilege escalation or malware distribution if combined with other weaknesses.

To mitigate CVE-2026-0916, organizations should first check for and apply any official patches or updates from the plugin developer once available. In the absence of patches, immediate steps include disabling or removing the 'Related Posts by Taxonomy' plugin to eliminate the attack surface. Restrict contributor-level permissions to trusted users only and audit existing content for injected scripts. Implement a Web Application Firewall (WAF) with rules to detect and block suspicious shortcode attribute inputs and common XSS payloads. Employ Content Security Policy (CSP) headers to restrict script execution sources and reduce the impact of injected scripts. Review and harden user role permissions to minimize the number of users who can inject content. Additionally, sanitize and validate all user inputs at the application level and ensure output encoding is enforced in custom themes or plugins interacting with this shortcode. Monitor logs for unusual activity and conduct regular security assessments focusing on plugin vulnerabilities. Educate content contributors about safe input practices and the risks of injecting untrusted content.