The vulnerability is a Stored Cross‑Site Scripting flaw located in the 'id' attribute of the 'jbticker' shortcode within the JB News Ticker plugin. Because the plugin does not properly sanitize or escape this input, an attacker who can authenticate to WordPress with a Contributor role or higher can place arbitrary JavaScript that will execute whenever anyone loads a page containing the ticker. This enables potential theft of session cookies, credential hijacking, defacement or insertion of malicious redirects. No remote code execution is possible, but the impact on confidentiality, integrity and availability of user data and the user experience is significant.

Affected systems are installations of the WordPress plugin JB News Ticker version 1.0 or earlier. The vendor is jobair, and the plugin is distributed under the jobair:JB News Ticker product name. Any WordPress site that has the plugin installed and allows contributor‑level accounts to edit or create posts that include the 'jbticker' shortcode is vulnerable. Version information is limited to all releases <=1.0; the exact patch version is not disclosed in the data.

The CVSS base score of 6.4 indicates a moderate level of severity, and the EPSS of <1% suggests that the likelihood of exploitation in the wild is low. The vulnerability is not listed in the CISA KEV catalog, reinforcing that it is not currently widely exploited. However, because the attack requires only an authenticated Contributor role, which is a common role on multi‑user WordPress sites, the potential for abuse remains. Exploitability stems from the lack of input validation; an attacker can insert a payload directly through the shortcode tag in WordPress content.