The URLYar URL Shortener plugin for WordPress contains a stored cross‑site scripting flaw that arises from inadequate sanitization and escaping of the attributes supplied to its "urlyar_shortlink" shortcode. Because of this, authenticated users with contributor or higher roles can embed malicious JavaScript into posts or pages that the plugin renders. When other visitors load the affected page, the injected script will execute in their browsers, allowing the attacker to steal session cookies, deface content, or perform further attacks. The vulnerability is limited to users who have contributor privileges and does not allow unauthenticated access. The impact is one of data theft and possible defacement within the compromised site.

All versions of the URLYar WordPress plugin up to and including 1.1.0 are affected. The plugin is packaged by salamzadeh under the product name URLYar URL Shortener and is used in WordPress installations that include the "urlyar_shortlink" shortcode.

The CVSS score of 6.4 indicates a medium level of severity, and the EPSS score of less than 1% suggests the likelihood of exploitation is currently very low. The vulnerability is not listed in CISA’s KEV catalog. Attackers must be authenticated with contributor or higher privileges to inject the payload. Once a page containing the injected script is accessed by any visitor, the malicious code runs in the context of that user’s browser, potentially compromising their data or session. Because the flaw is stored, it persists until the content is modified or the plugin is updated.