The Enhanced Paypal Shortcodes plugin, with versions up to 0.5a, contains an improper neutralization of input during web page generation that allows stored cross‑site scripting. Because the plugin accepts user‑supplied content that is later rendered on the site, an attacker can submit malicious JavaScript in those fields. This code is stored and executed each time the relevant page is displayed to visitors. The potential impact includes defacement, theft of client‑side data, and the execution of arbitrary JavaScript. The extent to which these consequences are realized is inferred from typical XSS outcomes and is not explicitly stated in the CVE description.

Affected systems are WordPress sites that have installed the CharlyLeetham Enhanced Paypal Shortcodes plugin in any release from its initial version through 0.5a. No specific version beyond 0.5a is identified as vulnerable or fixed; thus, all installations with that plugin or older must be considered at risk.

The CVSS score of 6.5 indicates moderate severity. The EPSS score of less than 1 % suggests exploitation is currently unlikely. It is not listed in CISA’s KEV catalog, meaning no public exploitation has been observed. The likely attack path involves entering malicious payloads through the plugin’s input fields, which are unauthenticated in terms of output sanitization. The description does not state which user roles can exploit the flaw, so whether administrative or author‑level access is required is uncertain.