The vulnerability stems from improper neutralization of user input during the generation of web pages, resulting in a stored cross‑site scripting flaw. Malicious code can be written into the WP Date and Time Shortcode content, saved in the WordPress database, and then executed in the browsers of any visitor who views a page containing the affected shortcode. This allows the attacker to run client‑side scripts on all users who access the compromised page.

Any WordPress installation that has the Denra.com WP Date and Time Shortcode plugin with a version number of 2.6.7 or earlier is affected. All sites that use the shortcode feature from this plugin are at risk; versions newer than 2.6.7 are not impacted as per the vendor’s version range.

The CVSS score of 6.5 indicates a moderate level of severity, while the EPSS score of less than 1% suggests a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog, implying no known active exploitation campaigns. An attacker would need to inject malicious payloads via the plugin’s user‑visible input mechanism; if successful, the stored malicious code will be delivered to every user who visits the affected page, providing broad client‑side exposure.