A Cross‑Site Request Forgery vulnerability in the WordPress Twitter Shortcode plugin allows stored cross‑site scripting. The flaw, identified as CWE‑352, occurs when an attacker can submit a forged request that stores malicious script content. The stored XSS payload remains on the site and can execute in the browsers of visitors or administrators, potentially compromising session credentials and defacing the site. The attack requires the ability to send a crafted request to the vulnerable plugin endpoint, which the plugin does not validate for origin, leading to a stored code injection.

The vulnerability affects the WordPress Twitter Shortcode plugin from its initial release up to and including version 0.9. Users running any of those versions on a WordPress installation are susceptible. The affected product is maintained by Starise as the Twitter Shortcode plugin.

The CVSS score of 7.1 reflects a high severity with moderate complexity, and the EPSS score of less than 1% indicates a low likelihood of exploitation at present. Because the flaw is triggered via CSRF, an attacker does not require authentication; a malicious link could suffice if a user with write privileges visits it. The vulnerability is not listed in the CISA KEV catalog, suggesting no widespread known exploitation yet, but the potential for stored XSS warrants prompt action.