This vulnerability allows an attacker to inject malicious scripts that are stored and rendered when end users view pages containing the plugin’s output. The attack exploits improper neutralization of user input, meaning the injected code can execute in the context of other visitors’ browsers, potentially leading to credential theft, session hijacking or other malicious actions.

The vulnerability affects the WordPress Widgets Shortcode plugin from Brajesh Singh. All releases up to and including version 1.0.3 are impacted, as the issue exists in every pre‑1.0.4 build.

The CVSS score of 6.5 indicates moderate severity, and the EPSS score of less than 1 % shows that exploitation is currently considered unlikely. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the ability to submit or modify content that the plugin processes—typically through the plugin’s shortcode interface. The likely attack vector is an attacker leveraging administrative or editorial privileges to embed malicious code into stored content, which then executes for all users who view that content.