The NewStatPress WordPress plugin contains a stored cross‑site scripting flaw that is triggered by a regular expression bypass in the nsp_shortcode function. Unsanitized, user‑supplied attributes are stored and later rendered without proper escaping, allowing an attacker to inject arbitrary JavaScript into page content. When a victim page is viewed, the injected script executes in the victim’s browser with the privileges of the page, enabling session hijacking, data theft, or defacement. The weakness is identified as CWE‑79 and grants attackers the ability to run code within the context of the site’s users.

WordPress installations using the NewStatPress plugin, any release up to and including version 1.4.3. The vulnerability affects all users who have contributed content or higher roles that interact with the plugin’s shortcode functionality.

The CVSS score of 6.4 places this issue in the moderate category, while the EPSS score of less than 1% indicates a low probability of active exploitation. The attack requires authenticated access with at least contributor privileges and is limited to the scope of pages that employ the affected shortcode. The lack of a KEV listing suggests that mass exploitation has not been observed yet, but the medium severity and the need for legitimate WordPress permissions mean the flaw should still be treated with priority.