This vulnerability is an improper neutralization of input during web page generation that allows reflected cross‑site scripting. If an attacker can craft a request that contains malicious script and embed it into a page generated by the plugin, the script will execute in the context of any user who views the page. The outcome is the ability to execute arbitrary JavaScript in the victim’s browser, potentially allowing session hijacking, credential theft, or malicious page content injection. The weakness is a classic input validation flaw (CWE‑79).

WordPress sites that have the Simple shortcode buttons plugin by Davidpuc version 1.3.2 or earlier are affected. The plugin does not perform proper sanitization of user‑supplied shortcode parameters, allowing malicious content to be reflected in the generated page.

The CVSS score of 7.1 indicates high severity. The EPSS score is less than 1 %, suggesting exploitation is currently very unlikely, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is that an attacker crafts a malicious URL or shortcode parameter that, when processed by the plugin, results in the injection of script into the rendered page. This can be performed remotely without special site privileges, and any user who visits the page would be affected.