Improper neutralization of input during web page generation in tychesoftwares Arconix Shortcodes plugin versions up to 2.1.15 allows attackers to inject malicious scripts into reflected responses. The flaw is a classic reflected cross‑site scripting vulnerability (CWE‑79). An attacker can craft a URL that includes script payloads; when a victim clicks the link or is tricked into visiting it, the embedded script runs inside the victim’s browser, enabling cookie theft, session hijacking, and potential transmission of further malicious content.

The affected product is the Tychesoftwares Arconix Shortcodes WordPress plugin. All versions from the initial release through version 2.1.15 are vulnerable. Update references list the plugin as impacting all releases up to the listed minor version; because no starting version is specified, it is inferred that all earlier releases may also be affected.

The CVSS score is 7.1, indicating high severity for a client‑side attack. The EPSS score is below 1 %, suggesting a low exploitation likelihood at present, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is web‑based and does not require authentication; based on the description it is inferred that attackers can construct the exploit from any public endpoint that accepts user‑supplied parameters. Because the flaw is reflected, a single malicious URL can affect any user who visits it, while the lack of a user‑input state or additional privileges keeps the context limited to the victim’s browser.