An improper neutralization of user input during web page generation enables DOM‑based XSS in the WordPress Twitter Bootstrap Collapse aka Accordian Shortcode plugin. The flaw allows an attacker to inject arbitrary JavaScript that runs in the context of any user who views a page that uses the affected shortcode. The weakness is identified as CWE‑79.

The vulnerability affects the WordPress plugin created by Mohsin Rasool, named Twitter Bootstrap Collapse aka Accordian Shortcode. Any installation of the plugin of version 1.0 or earlier is susceptible; the installer does not provide a patch for the introduced flaw, so all pre‑1.0 releases remain at risk unless upgraded or removed.

The CVSS score of 6.5 indicates moderate severity; the EPSS score of less than 1% shows a very low likelihood of public exploitation at present, and the issue is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is a crafted shortcode or content input that the plugin does not properly escape, allowing an attacker to embed malicious script. External attackers could exploit this by tricking site administrators into adding a malicious shortcode, or by directly viewing a page containing the vulnerable content if the plugin is exposed to untrusted users. The consequence is limited to the browsers of site visitors. Based on the nature of XSS, it may lead to further compromise.