A stored cross‑site scripting flaw exists in the Simple Business Data WordPress plugin. The plugin fails to sanitize or escape the value of the 'type' attribute used in the 'simple_business_data' shortcode, embedding the content directly into the class attribute of rendered HTML. An attacker who can create or edit content with contributor-level or higher access can inject arbitrary JavaScript that will execute in the browsers of any user who visits a page containing the compromised shortcode. The script runs client‑side and may be used to steal session cookies, redirect users, or perform other malicious actions within the context of the victim’s authenticated session.

The vulnerability affects the Simple Business Data plugin developed by dmbarber, installed in WordPress sites. All released plugin versions up to and including 1.0.1 are impacted; newer releases beyond 1.0.1 are not listed as affected.

The CVSS score for this issue is 6.4, indicating moderate severity. The EPSS score is reported as less than 1%, reflecting a low probability of exploitation within the current timeframe, and the vulnerability is not yet listed in CISA’s KEV catalog. Exploitation requires an authenticated user with contributor or higher privileges, but the resulting XSS can affect any visitor to the compromised page. Overall, the risk is moderate, with low likelihood but potentially significant impact on users of the site.