The vulnerability resides in the VigLink SpotLight By ShortCode plugin for WordPress, where the 'float' attribute of the 'spotlight' shortcode is not properly sanitized or escaped. As a result, an attacker who can authenticate to the WordPress site with at least Contributor privileges can inject arbitrary JavaScript into content that is stored and later rendered. The injected code executes in the browser of any visitor who views the affected page, enabling defacement, credential theft, or further session hijacking. The weakness is a classic input validation flaw classified as CWE‑79. The impact is direct compromise of confidentiality and integrity of the website’s content, while the availability of the site is unlikely to be affected.

This flaw affects the VigLink SpotLight By ShortCode WordPress plugin, version 1.0.a and all earlier releases. The plugin is distributed under the name VigLink SpotLight By ShortCode and can be present on any WordPress installation that has installed or upgraded to these versions. No specific distribution channel beyond the WordPress Plugin Repository is mentioned, so any site that has the plugin enabled could be vulnerable.

The CVSS score of 6.4 reflects a medium severity vulnerability that requires authenticated access to exploit. The EPSS score of less than 1% indicates a very low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. The likely attack path is via a contributor-level user submitting a malicious shortcode value; no privilege escalation or remote code execution is required beyond authenticated use. Because the flaw is based on stored XSS, successful exploitation leads to code execution in the context of site visitors, which can have serious consequences if the site is targeted by a malicious attacker.