The Cute News Ticker WordPress plugin contains a stored cross‑site scripting flaw that is triggered when an authenticated user with Contributor or greater privileges supplies malicious code in the 'color' shortcode attribute. The injected script is rendered in the page output and executed in the browsers of all visitors who view the content, potentially allowing attackers to steal session data, deface the site, or redirect users to phishing pages. The weakness stems from inadequate input filtering and the absence of output escaping, classifying it as a typical CWE‑79 scenario.

Any WordPress site running the Cute News Ticker plugin version 1.0 or earlier is vulnerable, provided the plugin is active and contributors have permission to edit or create posts that use the shortcode. The flaw is present in all releases up to and including 1.0; newer releases are not known to contain the issue.

The calculated CVSS score of 6.4 indicates medium severity, while an EPSS score of less than 1 % signals a low likelihood of exploitation in the wild. The vulnerability is not catalogued in the CISA KEV list. Successful exploitation requires the attacker to first authenticate with Contributor-level access, craft a malicious payload within the 'color' attribute, and then inject it into a post or page where the shortcode is rendered. Once stored, the payload remains active for every subsequent viewer until removed, but the initial requirement for authenticated content editing limits the overall risk to sites that grant such permissions.