The vulnerability is in the This-or-That WordPress plugin where the thisorthat shortcode does not properly sanitize or escape user‑supplied attributes. An authenticated user with contributor or higher access can craft a block that contains arbitrary JavaScript, which is then stored and served to other visitors when any post or page containing the shortcode is viewed. This stored cross‑site scripting (CWE‑79) can lead to user‑session hijacking, credential theft, or defacement of the site. The attack does not require a separate code‑execution vector; the injected script runs in the victim’s browser, making it a classic client‑side exploit.

The affected product is the WordPress plugin This-or-That developed by Andrex84. All releases up to and including version 1.0.4 are vulnerable. Site owners using any of these releases with a user role of contributor or higher are directly impacted, regardless of other configurations.

With a CVSS base score of 6.4 the issue is considered moderate severity. The EPSS score of less than 1% suggests that exploitation is currently uncommon, and the vulnerability is not listed in CISA’s KEV catalog. Attackers need only authenticate with contributor‑level access to embed malicious payloads through the shortcode interface. Once stored, the script executes for any user who views the affected page, so the threat scope extends to all site visitors. Given the need for authenticated access, the potential impact is limited to sites with contributors who have sufficient write permissions, but the resulting XSS can compromise any visitor.