The vulnerability originates from improper sanitization of user‑supplied input when generating web pages, creating a stored cross‑site scripting flaw. A malicious actor can inject JavaScript that will run in the context of any user who views a page containing the compromised input, leading to session hijacking, defacement, or data theft. The weakness is classified as CWE‑79, and the description does not indicate broader system compromise beyond the affected plugin’s output.

All installations of the KaizenCoders URL Shortify WordPress plugin up to and including version 1.10.5.1 are affected. The vulnerability applies globally across sites that have not upgraded beyond that release.

With a CVSS score of 5.9 the vulnerability is considered moderate. The EPSS score indicates a very low probability of exploitation at this time, and the issue is not listed in the CISA KEV catalog. However, because stored XSS can be triggered by untrusted data embedded in the plugin’s URLs, the attack vector is to create or modify a URL that contains malicious JavaScript and to entice an authenticated or unauthenticated user to visit that URL, after which the script executes in the browser context of the visitor. No special privileges are required beyond the ability to submit data via the plugin’s interface.