The vulnerability is an improper control of code generation in the RS WP Book Showcase plugin, enabling attackers to inject and execute arbitrary PHP code within a site that uses the affected plugin. The injection can occur through plugin configuration or content fields that accept shortcodes, allowing a malicious actor to take full control of the site, exfiltrate data, or modify site behavior. This type of code injection is a severe compromise of confidentiality, integrity, and availability within the affected WordPress installation.

The affected systems are WordPress sites running the RS WP Book Showcase plugin provided by RS WP THEMES. Versions from the initial release through 6.7.59 are vulnerable. Any site that has not upgraded beyond 6.7.59 using the RS WP Book Showcase module is at risk.

The CVSS score of 5.3 indicates a medium severity with potential for significant impact. The EPSS score of less than 1% suggests that exploitation is unlikely at present, and the vulnerability is not listed in the CISA KEV catalog. Likely attack vectors include supply‑chain infiltration or direct injection via shortcode or settings input. Existing security controls such as input validation and code sanitization are insufficient to prevent the injection. Given the medium CVSS and very low EPSS, the risk is moderate, but it remains a serious threat if exploited.