This vulnerability is an improper neutralization of user input in the webvitaly Extra Shortcodes WordPress plugin, allowing an attacker to inject and persist arbitrary JavaScript code within the website. Once injected, the malicious script executes in the context of every visitor’s browser, potentially exposing session cookies, defacing the site, or redirecting users to phishing pages. The weakness is a classic Cross‑Site Scripting flaw (CWE‑79).

The affected product is the webvitaly Extra Shortcodes WordPress plugin, specifically all releases up to and including version 2.2. The vulnerability exists in any installation where the plugin is active and does not rely on a particular deployment configuration.

The CVSS score of 6.5 indicates a moderate impact, scoring the vulnerability above medium severity. However, the EPSS score of less than 1% suggests that exploitation is currently unlikely. The attack path likely involves an attacker creating or editing content through the plugin’s interface, leveraging stored XSS to embed malicious scripts that run for every subsequent visitor. Since the vulnerability permits persistent injection, once data is stored it remains until manually removed. The vulnerability is not listed in CISA’s KEV catalog. Organizations should treat this as a moderate‑risk that could lead to cross‑domain cookie theft or phishing, especially in environments with high traffic or where sensitive data is displayed. Vigilance is required until a patch is applied or the plugin is removed.