Impact
The VerticalResponse Newsletter Widget plugin for WordPress contains a stored cross‑site scripting flaw that allows an attacker to inject arbitrary JavaScript via the plugin’s shortcode. When an attacker supplies malicious attributes, the plugin fails to sanitize and escape the input, so the script is embedded and executed on any page containing the shortcode. The weakness is categorized as CWE‑79 and is only exploitable by authenticated users with contributor‑level permissions or higher.
Affected Systems
Katzweb Design’s VerticalResponse Newsletter Widget plugin is affected in all releases up to and including version 1.6. WordPress sites that install or embed these plugin versions are potentially vulnerable.
Risk and Exploitability
The CVSS score of 6.4 indicates a moderate severity, and the EPSS score of < 1 % suggests a low probability of exploitation in the near term. The vulnerability is not listed in the CISA KEV catalog, reducing immediate threat visibility, but because it requires only contributor‑level access, many sites with such roles are at risk. An attacker would first authenticate, then craft a malicious shortcode that stores the payload, which will execute whenever a page displaying the shortcode is viewed, allowing widespread script injection.
OpenCVE Enrichment
EUVD