Improper neutralization of script‑related HTML tags in the Ketchup Shortcodes plugin enables a stored cross‑site scripting (XSS) vulnerability. Attacking input that includes JavaScript or other malicious content can be saved in a post or shortcode, then executed in the browsers of any user who views the affected content. This allows an attacker to steal session cookies, deface content, or redirect victims, thereby compromising confidentiality and integrity of the web site.

The flaw affects the AyeCode Ketchup Shortcodes plugin for WordPress through version 0.1.2. All installations using any earlier release of the plugin are potentially impacted. The vendor is AyeCode, and the product name is Ketchup Shortcodes. No specific sub‑product or platform constraints were listed, so any WordPress installation including this plugin is vulnerable.

The CVSS base score of 6.5 classifies the weakness as moderate severity, and the EPSS score of less than 1 % indicates a very low but non‑zero probability of exploitation in the wild. The vulnerability is not currently listed in CISA’s KEV catalogue, suggesting no recorded, widespread exploits. However, because the attack requires only the injection of content that is stored and later rendered, a single compromised account or malicious post can trigger the payload. Countermeasures are effective if a patch is applied promptly, and the risk is mitigated by disabling or removing the plugin if an update is unavailable.