The Custom Post Type Date Archives plugin allows execution of any shortcode supplied by a user without validating the source or ensuring that the user has proper privileges. This flaw is a form of code injection that lets an unauthenticated adversary insert malicious shortcodes which may be processed by WordPress’s `do_shortcode` function, potentially allowing the attacker to run arbitrary code or commands. The resulting breach could compromise the confidentiality, integrity, and availability of the site, and may ultimately provide full control over the web application.

The vulnerability affects the WordPress plugin Custom Post Type Date Archives, released by keesiemeijer, in all versions up to and including 2.7.1. Administrators running any of these plugin releases should be aware that the plugin’s version does not contain the necessary authorization checks to limit shortcode execution to trusted users.

With a CVSS score of 7.3 the flaw is considered high severity, yet the EPSS score is listed as less than 1%, indicating a very low probability of exploitation at the moment. The vulnerability is not present in the CISA KEV catalog, which further suggests that there are no widely documented exploits. The attack vector is inferred to be unauthenticated remote, likely via a crafted HTTP request or by embedding a malicious shortcode in a page or post that the plugin parses, because the plugin fails to enforce user permissions before calling `do_shortcode`. While this chain of exploitation is viable, the low EPSS score reflects the relative novelty or low market interest in this particular vector. Nonetheless, the potential impact warrants prompt action to eliminate the risk.