Reflected XSS via rp4wp_parent in barrykooij/related-posts-for-wp


Reported on

Sep 20th 2022


The rp4wp_parent value is echoed without encoding, leading to reflected XSS.

Proof of Concept

Install wordpress, install the "Related Posts for WordPress" plugin, then visit the following URL, where localhost is the server hosting the app:



With a successful attack, an attacker can access all data the attacked user has access to, as well as perform arbitrary requests in the name of the attacked user.

In the case of a default wordpress installation, the attacker could eg add a new admin user and gain RCE via the plugin/theme editor.


Value is read from $_GET['rp4wp_parent'];, stored in $parent, passed to $cancel_url and then echoed without encoding.

We are processing your report and will contact the barrykooij/related-posts-for-wp team within 24 hours. a year ago
We created a GitHub Issue asking the maintainers to create a a year ago
We have contacted a member of the barrykooij/related-posts-for-wp team and are waiting to hear back a year ago
Barry Kooij validated this vulnerability a year ago
foobar7 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Barry Kooij
a year ago


Thank you for your report, I will fix this over the weekend!

Barry Kooij marked this as fixed in 2.1.2 with commit 269e0a a year ago
Barry Kooij has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation