The vulnerability in the Arconix Shortcodes plugin arises from insufficient sanitization of user input, allowing attackers to embed malicious scripts that are stored and served to all site visitors. The stored XSS can be used to steal session cookies, hijack authenticated users, or deface the site’s content, impacting confidentiality, integrity and availability. The weakness classified as CWE‑79 demonstrates a failure to neutralize input during web page generation.

Any WordPress installation running tychesoftwares Arconix Shortcodes version 2.1.20 or earlier is affected. The plugin stores user provided content, so sites that have the plugin active and have not upgraded beyond 2.1.20 are vulnerable regardless of the WordPress core version.

The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1% suggests that exploitation is currently uncommon and the vulnerability is not listed in CISA’s KEV catalog. Attackers can typically exploit this by creating or editing a shortcode or post that contains malicious JavaScript; the stored nature of the flaw means the payload is served to any visitor, making the risk significant for high‑traffic or value‑added sites. The low EPSS may reflect limited exploitation activity, yet the potential impact warrants cautious mitigation.