Improper neutralization of input during page generation in the Last Updated Shortcode plugin allows an attacker to store malicious JavaScript that is later served to users. The resulting stored XSS can execute arbitrary script in the browsers of visitors to affected pages, enabling session hijacking, credential theft, or defacement of site content. Because the code runs in the user’s environment rather than on the server, the attack does not directly compromise server resources, but it compromises the privacy and integrity of site visitors. The weakness is identified as CWE‑79. The impact is confined to users who view the compromised content, but it can be propagated through shared links or embedded widgets.

The vulnerability affects the Luke Mlsna Last Updated Shortcode WordPress plugin, versions from the earliest release through 1.0.1. Users running any installation of the plugin up to and including 1.0.1 are impacted.

The CVSS score of 6.5 categorizes the issue as a medium severity problem. The EPSS score is reported as < 1%, indicating a low probability of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog. Attackers are likely to exploit the flaw via the normal content submission interface of the plugin, inserting malicious code that is subsequently rendered for other visitors. The overall risk remains moderate but warrants timely remediation.