Impact
For the ProcessingJS for WordPress plugin, a vulnerability allows authenticated attackers with contributor‑level or higher privileges to embed malicious scripts into pages through the ‘pjs4wp’ shortcode. This flaw arises from insufficient sanitization of user supplied attributes and lack of proper output escaping, giving attackers the ability to store arbitrary JavaScript that executes whenever any visitor loads the affected page. The impact is primarily client‑side compromise, including credential theft, session hijacking, or defacement of the site.
Affected Systems
WordPress users running the ProcessingJS for WordPress plugin from cageehv are affected. All released versions up to and including 1.2.2 are vulnerable; versions newer than 1.2.2 contain the fix.
Risk and Exploitability
The CVSS score of 6.4 indicates a moderate severity vulnerability. EPA on the low EPSS score of less than 1% suggests that real‑world exploitation is currently rare, and the vulnerability is not listed in the CISA KEV catalog. However, the requirement of contributor or superior access means that any user who gains such permissions can inject harmful code that would persist across all site visitors, making this a significant risk when access control is insufficient or roles are overly permissive.
OpenCVE Enrichment
EUVD