The Shortcode Generator plugin accepts user-supplied shortcode content without proper neutralization, allowing reflected cross‑site scripting. If an attacker exploits this flaw, malicious scripts would execute in the victim’s browser when the vulnerable page is viewed, potentially leading to session theft, defacement, or other client‑side attacks. The weakness is identified as CWE‑79 and remains present in every version up to and including 1.1.

All WordPress sites that have installed the kylegetson Shortcode Generator plugin with a version of 1.1 or older are affected. The vulnerability applies regardless of the site’s configuration or user roles, as the shortcode generator parametrizes user input directly into the page output.

The CVSS score of 7.1 signals a medium‑to‑high severity, while the EPSS score of less than 1% indicates a low current probability of exploitation. It is not listed in CISA’s KEV catalog, suggesting no widespread active exploitation. Based on the description, it is inferred that the attack vector is web‑based: attackers can craft a URL containing malicious query parameters or specially encoded shortcode content and lure a user to visit that URL. Given the reflected nature, any site visitor with access to the plugin’s shortcode interface or exposed URLs can potentially trigger the vulnerability.