The LJUsers plugin contains a stored cross‑site scripting flaw that allows authenticated users with Contributor or higher privileges to insert malicious JavaScript into the 'name' attribute of the 'ljuser' shortcode. When a page containing that shortcode is viewed, the injected script executes in the victim's browser, enabling actions such as cookie theft, session hijack, or defacement. This vulnerability is classified as CWE‑79, reflecting the lack of proper input validation and output encoding.

WordPress installations that have the jenyay:LJUsers plugin in any version up to and including 1.2.0 are affected. The flaw is exploitable only by users who possess a Contributor role or higher, because such users can edit or create shortcodes that use the plugin.

The CVSS score of 6.4 indicates moderate severity. The EPSS score of less than 1 % suggests that exploitation has not been widely observed, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector requires an attacker to authenticate with Contributor‑level access, which could arise from compromised credentials or social engineering. Once the attacker gains the required role, any user who visits a page containing the injected shortcode will have the payload executed, potentially exposing cookies or allowing the attacker to manipulate the page content. The risk is amplified by the fact that the affected code is stored on the server, making the vulnerability persistent until remediation.