Reflected XSS via rp4wp_parent in barrykooij/related-posts-for-wp
Sep 20th 2022
The rp4wp_parent value is echoed without encoding, leading to reflected XSS.
Proof of Concept
Install wordpress, install the "Related Posts for WordPress" plugin, then visit the following URL, where
localhost is the server hosting the app:
With a successful attack, an attacker can access all data the attacked user has access to, as well as perform arbitrary requests in the name of the attacked user.
In the case of a default wordpress installation, the attacker could eg add a new admin user and gain RCE via the plugin/theme editor.