The vulnerability in the Latest Post Shortcode plugin allows an attacker to embed malicious scripts that will be served to end users when the page is rendered. Because the plugin fails to properly neutralize input before storing it in the database, the injected payload survives until the page containing the shortcode is generated. This can lead to theft of user credentials, session hijacking, or other malicious actions executed within the victim’s browser, thereby compromising confidentiality and integrity of user data on the affected site.

WordPress sites running Iulia Cazan’s Latest Post Shortcode plugin version 14.0.3 or earlier are affected. Site administrators should confirm whether the plugin is installed and determine the current version to assess exposure.

The assessed CVSS score of 6.5 indicates moderate severity, yet the EPSS score is below 1 %, suggesting limited exploitation activity to date. The vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog. Exploitation requires that the attacker can inject data into the plugin’s storage—that is, an administrative or privileged user role or a publicly available input field. Based on the description, it is inferred that the likely attack vector is through such an injection point. Once injected, the payload executes automatically for any user who views the affected post, making the attack path straightforward once access to the input is obtained.