The vulnerability allows an attacker to perform a cross‑site request forgery that eventually results in stored cross‑site scripting inside the WordPress MachForm Shortcode plugin. The malicious script is stored and executed with the privileges of any user who views the affected content, enabling session hijacking, credential theft, data exfiltration, phishing, or other injection of malicious actions. This represents a confidentiality and integrity breach that can affect all visitors who load the compromised content.

All releases of Rick Laymance’s MachForm Shortcode plugin up to and including version 1.4.1 are vulnerable. Sites that host any of these versions of the plugin are impacted.

The vendor rate it as CVSS 7.1 a moderate severity. The EPSS score is very low (<1 %) and the item is not in the CISA KEV list, implying that while exploitation is unlikely, it is still possible. Attackers would likely need a form of authenticated or trusted user context to inject the cross‑site request or must lure a victim into clicking a malicious link that triggers the forged request. Once the malicious script is stored, it executes on every page that loads the affected shortcode, giving the attacker persistent access. Because the flaw is a CSRF‑to‑XSS chain, the attack surface remains the web interface of the WordPress site.