The Nite Shortcodes plugin for WordPress contains a flaw that allows malicious JavaScript to be stored and subsequently rendered within web pages. When an attacker is able to inject code that the plugin accepts and retains, that code appears on pages viewed by other users. Executed scripts can steal session cookies, modify page content, or redirect users to phishing sites, thereby compromising confidentiality, integrity, or availability of the web application from the client side.

Any WordPress installation that has the nitethemes Nite Shortcodes plugin with a version from the earliest release through 1.0 is vulnerable. Sites that still run or have retained configuration information from those versions should be reviewed.

The CVSS score of 6.5 indicates moderate severity, and the EPSS score of less than 1% suggests a low probability of early exploitation. The vulnerability is not listed in the CISA KEV catalog. To exploit this flaw an attacker would need to insert a malicious payload into a data field that the plugin accepts and stores – based on the description it is inferred that such a field likely exists for content or shortcode entry. Once stored, any visitor to the affected page will have the script executed, potentially enabling session hijacking or other client‑side attacks.