The vulnerability is a stored cross‑site scripting flaw, identified as CWE‑79, that allows an attacker to inject malicious script that is persisted in the database and delivered to visitors of a WordPress site using the Tripadvisor Shortcode plugin. When a user—authenticated or not—submits data through the plugin’s input interface, the content is not properly neutralized and is later rendered in the browser as part of a page, enabling defacement, stealing of cookies, or other client‑side attacks. The impact extends to all users who view affected pages, potentially compromising confidentiality, integrity, and availability of the site.

The issue affects the WordPress plugin Tripadvisor Shortcode released by Kevin Heath, specifically every version up to and including 2.2. Any site that has installed these versions of the plugin and has the shortcode or input form available is vulnerable.

The CVSS base score of 5.9 indicates moderate severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that attackers could exploit this by submitting crafted input through the plugin’s administrative interface or shortcode form; the malicious payload is stored and later delivered to any visitor without sufficient sanitization.