The Share to Google Classroom plugin is vulnerable to a stored Cross‑Site Scripting flaw because user supplied attributes in the share_to_google shortcode are not properly sanitized or escaped before being rendered. An attacker who has Contributor or higher access can embed arbitrary scripts that will run whenever another user views a page containing the injected shortcode. The impact is the execution of attacker‑supplied code in the victim’s browser, potentially allowing defacement, session hijack or the theft of sensitive data from the user’s session.

The flaw affects the WordPress plugin Share to Google Classroom (vendor pritenhshah) in all releases up to and including version 1.0. The vulnerability exists regardless of the WordPress core version, provided the plugin remains installed and the share_to_google shortcode is utilized.

The CVSS score of 6.4 classifies the issue as moderate severity. The EPSS score of less than 1% indicates a very low but non‑zero probability of exploitation at the time of analysis. The vulnerability is not listed in the CISA KEV catalog, suggesting no known active exploits. Attackers must be authenticated with at least Contributor privileges and must insert the malicious payload via the shortcode, limiting the threat to trusted users or administrators. Once inserted, however, every site visitor who accesses the affected page will be affected, making the risk significant within the internal user community.