The vulnerability stems from a missing authorization check in the DeannaS Embed RSS plugin, which allows an attacker to inject and execute arbitrary shortcodes. This flaw effectively permits unauthorized users to embed malicious code, potentially leading to cross‑site scripting or execution of unintended actions within the WordPress installation. The weakness is classified as Missing Authorization (CWE‑862). The primary impact is that any user who can manipulate plugin input may run arbitrary code in the context of the site, affecting the confidentiality, integrity, or availability of the application. The impact scope depends on the configuration of the WordPress instance and the privileges granted to plugin users.

WordPress sites that use the DeannaS Embed RSS plugin version 3.1 or earlier are affected. The vendor is DeannaS, and the product is the Embed RSS plugin. Versions prior to 3.2 lack the fix; any site running a version noted as "n/a through <= 3.1" is vulnerable. No information is provided about other versions or sub‑products.

The CVSS score of 4.8 indicates a moderate severity vulnerability, and the EPSS score of less than 1% signals a low probability of exploitation in the wild. The vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog, suggesting it has not yet been publicly targeted or abused. The likely attack vector is remote, requiring the attacker to have the ability to submit data to the shortcode handler, which typically happens via the WordPress admin interface or faulty configuration that exposes the plugin to public users. Exploitation requires neither privileged credentials nor complex prerequisites, but the low EPSS suggests that attackers may focus on higher‑impact flaws in the meantime.