Improper neutralization of input during web page generation provides a stored XSS flaw in the WordPress "Related Post Shortcode" plugin, allowing an attacker to embed persistent JavaScript code that executes whenever a page rendering the plugin’s output is viewed. The injected script can hijack user sessions, deface page content, or redirect users to malicious sites. The impact remains confined to the browser context of users who visit the affected page, but it can be leveraged for phishing or credential theft scenarios.

Any installation of the WordPress "Related Post Shortcode" plugin released by enguerranws with version 1.2 or earlier is vulnerable. Sites that insert shortcodes managed by this plugin into posts or pages are at risk until the plugin is updated or removed.

The CVSS score of 5.9 reflects moderate severity while the EPSS score of less than 1% indicates a low likelihood of exploitation as of the analysis. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, it is inferred that an attacker would need the ability to insert or edit content via the plugin’s interface—most likely requiring authenticated write privileges—to store the malicious script. While the CVE does not explicitly state the authentication requirement, the necessity of content injection suggests that unauthenticated exploitation is improbable. Once the script is stored, it will run in the browsers of any user who navigates to the affected page, delivering the stated potential adversarial actions.