The Mixlr Shortcode plugin contains an insufficiently sanitized ‘url’ attribute within the ‘mixlr’ shortcode. The flaw allows an authenticated user with contributor or higher privileges to store malicious script code that will be executed in any user’s browser when the affected page is viewed. This is a classic reflected input error (CWE‑79) leading to stored XSS, potentially enabling credential theft or session hijacking for arbitrary users who view injected content. The impact is confined to situations where the malicious content is served to other site visitors; it does not grant full system compromise but can seriously undermine confidentiality and integrity of user sessions.

Any WordPress installation using Mixlr Shortcode version 1.0.1 or earlier. The plugin is identified as mrgeorgegray:Mixlr Shortcode. No other products or versions are listed as affected.

The CVSS score of 6.4 indicates moderate severity. The EPSS score is below 1%, suggesting a low probability of public exploitation at present, but the vulnerability remains actively exploitable by any contributor‑level user. As the flaw is not listed in CISA’s KEV catalog, there is no current evidence of widespread exploitation, yet an attacker who can inject content can compromise downstream users whenever the injected page is accessed. The likely attack vector requires prior authenticated access with at least contributor permissions to create or edit content containing the harmful shortcode.