This vulnerability is a stored cross‑site scripting flaw caused by improper neutralization of input during web page generation, categorized as CWE‑79. It allows an attacker to embed malicious scripts that are permanently saved in a WordPress blog managed with the Shortcode Redirect plugin. When site visitors load the affected content, the embedded scripts execute in their browsers, potentially leading to session hijacking, credential theft, defacement or other client‑side attacks. The impact is limited to the integrity and confidentiality of users who view the compromised pages, but can result in widespread damage if the content is widely shared.

The affected product is the Shortcode Redirect WordPress plugin from cartpauj. All releases up to and including version 1.0.02 are impacted; earlier revisions are also suspected to lack the fix.

The CVSS score of 6.5 indicates a moderate severity flaw, while an EPSS score of less than 1% suggests a very low probability of exploitation at present. The flaw is not in the CISA KEV catalog, reducing the urgency of an active incident. The likely attack vector is the WordPress web application, inferred from the stored‑script nature of the vulnerability; an attacker would need the ability to add or edit content via the plugin to inject malicious payloads.