This vulnerability is a DOM‑based Cross‑Site Scripting flaw caused by the short.io WordPress plugin’s failure to properly neutralize user input when rendering web pages. An attacker can embed malicious scripts in URLs or form input, which are then executed in the victim’s browser when the page is loaded. The impact of this flaw is the ability to run arbitrary JavaScript, enabling actions such as session hijacking, data theft, or defacement of the affected site. The issue is not listed as a known exploited vulnerability and has a moderate CVSS score, but the potential damage of user compromise remains significant.

The short.io plugin for WordPress, released by the vendor gugu, is affected in all versions up to and including 2.4.2. WordPress sites that have the plugin installed and are running those versions are vulnerable.

The CVSS score of 6.5 indicates moderate exploitation risk. The EPSS score of <1% suggests few real‑world attacks, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires only a client‑side interaction, typically via a crafted link or form. Because no authentication or privileged access is required, any user who visits a malicious URL can trigger the flaw. The outcome is the execution of victim‑side code, which can lead to credential theft or site defacement.