The vulnerability in the Weaver Themes Shortcode Compatibility WordPress plugin permits stored cross‑site scripting: an attacker can inject malicious payloads that are rendered unsanitized when the page loads, leading to potential script execution in the browsers of site visitors. This is an injection flaw classified as CWE‑79 and can compromise confidentiality, integrity, and availability of the website from the perspective of the end user. The description specifically notes improper neutralization of input during web page generation, confirming that user-supplied content is not protected when displayed back to users.

WordPress sites utilizing the wpweaver Weaver Themes Shortcode Compatibility plugin, version 1.0.4 or earlier, are affected. The plugin creates stored data that can be exploited, and any installation that includes these plugin versions remains vulnerable until updated.

With a CVSS score of 6.5, the vulnerability carries moderate risk. The EPSS score of <1% indicates a low probability of exploitation at the current time. It is not listed in the CISA KEV catalog. The attack vector is inferred to be web‑based; an attacker would need to inject malicious input through the plugin’s content fields or other parameters that are stored by the plugin and later rendered in web pages. User interaction such as visiting the affected page would be required for the exploit to execute.