The biscia7 Hide Text Shortcode plugin contains an improper neutralization of user input during web page generation, allowing attackers to embed malicious scripts that are stored and executed in the browsers of site visitors. This stored XSS flaw can lead to the execution of arbitrary client‑side code. The vulnerability is specifically tied to CWE‑79, indicating that input is not properly validated or encoded before rendering.

Any WordPress site using biscia7 Hide Text Shortcode plugin version 1.1 or earlier is affected. No specific build or deployment configuration is required beyond the presence of the plugin and its usage of the shortcode feature; the flaw persists across all installations that have not upgraded past the vulnerable release.

The flaw carries a CVSS score of 6.5, denoting a medium severity risk. The EPSS score is reported as less than 1%, suggesting that, as of the last assessment, the likelihood of exploitation is low. Additionally, this vulnerability is not listed in the CISA KEV catalog. The attack vector is likely via the insertion of malicious content into a shortcode that is later rendered on any page referencing that content. A successful exploit would provide the attacker with the ability to inject client‑side scripts that execute whenever a legitimate user views the affected page.