CVE-2019-11869

MEDIUM EXPLOITED NUCLEI

Yuzo Related Posts 5.12.94 - Unauthenticated Stored Cross-Site Scripting via Plugin Settings

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2019-11869 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit from researchers including gitrecon1455. A Nuclei detection template is also available.

AI-analyzed exploit summary The repository contains only a YAML file and a README with minimal content, lacking any functional exploit code or technical details about CVE-2019-11869.

Description

The Yuzo Related Posts plugin 5.12.94 for WordPress has XSS because it mistakenly expects that is_admin() verifies that the request comes from an admin user (it actually only verifies that the request is for an admin page). An unauthenticated attacker can inject a payload into the plugin settings, such as the yuzo_related_post_css_and_style setting.

Exploits (1)

nomisec STUB
by gitrecon1455 · poc
https://github.com/gitrecon1455/CVE-2019-11869

The repository contains only a YAML file and a README with minimal content, lacking any functional exploit code or technical details about CVE-2019-11869.

Classification
Stub 90%
Attack Type
Other
Complexity
N/a
Reliability
N/a
Target: N/A
No auth needed
devstral-2 · analyzed Feb 18, 2026 Full analysis →

Nuclei Templates (1)

WordPress Yuzo <5.12.94 - Cross-Site Scripting
MEDIUMby ganofins

References (3)

Core 3

Scores

CVSS v3 6.1
EPSS 0.0533
EPSS Percentile 91.5%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

VulnCheck KEV 2019-05-09
CWE
CWE-79
Status published
Products (1)
yuzopro/yuzo 5.12.94
Published May 09, 2019
Tracked Since Feb 18, 2026