The Nexter Extension – Site Enhancements Toolkit plugin for WordPress is vulnerable to stored cross‑site scripting through its 'nxt-year' shortcode in all versions up to 4.4.1. The flaw arises because the plugin does not properly sanitize or escape user‑supplied input that is stored and rendered later. An authenticated user with Contributor‑level access can inject arbitrary JavaScript, which then executes in the browsers of anyone who views the affected page, potentially leading to session hijacking, credential theft or site defacement. This weakness corresponds to CWE‑79.

This vulnerability affects the Nexter Extension – Security, Performance, Code Snippets & Site Toolkit plugin developed by posimyththemes for WordPress. All installations using the plugin in version 4.4.1 or earlier are impacted; versions newer than 4.4.1 are not known to contain the flaw.

The CVSS score of 6.4 marks this vulnerability as moderate severity. The EPSS score of < 1% indicates a very low probability of exploitation at this time, and the vulnerability is not listed in the CISA KEV catalog, so no widespread exploits are reported. Exploitation requires authenticated access with at least Contributor privileges, suggesting the threat is confined to users who can edit content via the plugin. Once a malicious script is stored, it will run in any browser that renders the affected page, providing broad impact on all visitors. The likely attack vector is the plugin’s shortcode editor where an authenticated user can input the malicious code.