The WordPress GitHub Gist Shortcode Plugin contains a stored XSS flaw in the 'id' parameter of the 'gist' shortcode. Because the plugin fails to sanitize or escape this input, an authenticated user with Contributor‑level or higher privileges can insert malicious JavaScript. When any visitor opens a post or page that displays the compromised gist, the injected code runs in their browser, potentially allowing credential theft, session hijacking, defacement or other client‑side attacks. This vulnerability is a classic injection of client‑side code that compromises confidentiality and integrity of user sessions.

The affected product is the GitHub Gist Shortcode Plugin for WordPress, developed by paul1999. Versions up to and including 0.2 are affected; newer releases are not vulnerable.

The vulnerability has a CVSS score of 6.4, indicating a medium severity impact. The EPSS score is less than 1 %, suggesting a very low probability of exploitation at the time of analysis, and it is not listed in the CISA KEV catalog. Attackers must first be authenticated with Contributor or higher privileges, then they can embed malicious code through the shortcode; once injected, the script executes on users who view the page. The vulnerability can be exploited over the web via the WordPress administrative interface by adding or editing a post that includes the problematic shortcode.