A Cross‑Site Request Forgery weakness in the Shortcode in Comment WordPress plugin enables an attacker to submit a crafted request that succeeds in adding malicious JavaScript content to user comments. Once the comment is stored, any visitor to the page that displays the comment will execute the injected script in their browser. This stored XSS can be leveraged to steal credentials, deface content, or further compromise the site through code execution, and it is classified under CWE‑352. The vulnerability does not require user interaction beyond a legitimate authenticated session, making it a serious threat if an attacker can coerce a logged‑in administrator or user to submit the forged request.

The Shortcode in Comment plugin developed by Kelvin Ng is affected for all releases up to and including version 1.1.1 on WordPress installations. Systems that have not yet applied an update beyond this version remain vulnerable.

With a CVSS score of 7.1, the issue falls in the high severity range. The EPSS score of less than 1% indicates a low probability of widespread exploitation at this time, and the vulnerability is not listed in the CISA KEV catalog. Probable attack vectors involve a compromised or maliciously constructed logged‑in session that submits the forged request, leading to persistent cross‑site scripting when other users view the affected comment. Proper CSRF protection and input sanitization are essential to mitigate this risk.