The vulnerability is an improper neutralization of input during web page generation that allows an attacker to store malicious JavaScript code through the Memberlite Shortcodes plugin. When the content is later rendered, the script executes in the browser of any visitor, giving the attacker a range of possibilities including theft of credentials, session hijacking, defacement of page content, or distribution of malware. The weakness is identified as CWE‑79 and results in a loss of confidentiality, integrity and, in some cases, availability of the affected web application.

This flaw affects the WordPress plugin "Memberlite Shortcodes" developed by Jason C. The vulnerability is present in all releases up to and including version 1.4.1. Any WordPress site that has installed or upgraded to a version of the plugin no later than 1.4.1 is potentially impacted.

The CVSS score of 6.5 indicates a moderate severity. The EPSS score of less than 1% shows that current exploitation activity is very low; however, the flaw is not listed in CISA’s KEV catalog, meaning no widespread known exploits have been reported yet. Attackers can exploit the defect by submitting a malicious payload through the plugin’s input fields, which is stored and later returned to unsuspecting visitors. As the attack does not require special network privileges, any compromised site that has the plugin installed can be used as a vector to deliver the script to its users.