The BP Profile Shortcodes Extra plugin contains an improper neutralization of input during web page generation, allowing attackers to store malicious scripts in profile data. If an attacker injects code into a field that the plugin renders without sanitization, the script will execute in any victim’s browser who views that profile, potentially leading to cookie theft, session hijack, defacement, or unauthorized redirects. This is a classic Stored XSS flaw, identified by CWE‑79.

The vulnerability affects the Venutius BP Profile Shortcodes Extra WordPress plugin versions up to and including 2.6.0. Users running any of these releases are exposed.

The CVSS score of 6.5 indicates moderate severity. The EPSS score of less than 1% shows that the probability of exploitation is low, and the vulnerability is not yet listed in CISA's KEV catalog. The most likely attack vector is remote: an attacker who can submit content through the plugin’s input fields can embed malicious code that persists in the site and is served to all visitors of the affected profile pages. No active exploitation reports are evident, but the impact is substantial for users who rely on the plugin for public or private profiles.