The vulnerability is an improper neutralization of input during page generation, allowing an attacker to store malicious script code inside the Horizontal Line Shortcode plugin. When the stored content is rendered, the script executes in the browsers of site visitors, potentially exposing sensitive data, hijacking sessions, or delivering further malware. This flaw maps to CWE‑79 and represents a classic stored XSS weakness that can compromise confidentiality, integrity, and availability of users who view affected pages.

The affected product is mikakaltoft’s Horizontal Line Shortcode plugin for WordPress. All releases of the plugin up to and including version 1.0 are vulnerable; no specific sub‑bundle information is provided.

The CVSS score of 6.5 places the flaw in the medium severity range, while the EPSS score of less than 1% indicates a very low current likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to inject malicious content that is stored by the plugin—typically an operation that a site administrator or a user with sufficient editing privileges can perform. Absent such privileges, the attack vector is infeasible. Even with the low EPSS, the impact of remote script execution warrants immediate attention.