The AIO Shortcodes plugin versions up to 1.3 contain a flaw where user‑provided content is stored without adequate escaping. When that content is later rendered, an attacker’s JavaScript can execute in the victim’s browser. This allows unauthorized code execution in the context of any user who views the affected page. The weakness corresponds to CWE‑79 and does not require elevated privileges beyond normal content‑editing rights.

WordPress sites that have installed the hkharpreetkumar1 AIO Shortcodes plugin version 1.3 or earlier are vulnerable, regardless of the WordPress core version. The issue manifests in both the administrative interface, where users can submit or edit content, and the public‑facing pages where that content is displayed.

The CVSS score of 7.1 indicates moderate‑to‑high severity, while the EPSS score below 1% suggests that current exploitation attempts are unlikely; the vulnerability is not listed in CISA’s KEV catalog. Nonetheless, the potential impact is substantial because arbitrary JavaScript can run in any visitor’s browser. The likely attack vector is the submission of malicious content through the plugin’s shortcode feature, which an attacker can do if they have a role that permits content creation or editing. No special authentication is required beyond typical author or administrator privileges.