The vulnerability allows authenticated users with Contributor-level access to embed arbitrary JavaScript into the form_name attribute of the [woodpecker-connector] shortcode, resulting in stored cross‑site scripting when other site visitors view the page. This stored payload can compromise the confidentiality and integrity of any site visitor by enabling phishing, credential theft, or other malicious client‑side attacks. Because the script runs in the context of the website, the attacker can hijack sessions, deface content, or redirect users to malicious domains.

Affected is the Woodpecker for WordPress plugin, version 3.0.4 and earlier. The plugin’s form handling code fails to escape or sanitize the form_name parameter in its shortcode rendering, allowing XSS. All installations running these versions are vulnerable, regardless of site configuration. Upgrading to a version newer than 3.0.4 removes the flaw.

The CVSS score of 6.4 indicates a medium severity. The EPSS score of <1% shows a very low probability of exploitation at this time, and the vulnerability is not currently listed in CISA’s KEV catalog. Attack requires prior authentication with at least Contributor privileges, so it is not an anonymous exploit but still poses a risk to sites where contributors are granted write access. The stored nature of the payload means any subsequent visitor can be affected, making the impact potentially widespread across all site users.