The vulnerability resides in the Display During Conditional Shortcode WordPress plugin where the ‘message’ input is not properly sanitized or escaped, allowing stored cross‑site scripting attacks. Authenticated users with Contributor-level access can inject arbitrary JavaScript that is executed whenever the corresponding page is viewed, directly impacting confidentiality and integrity of the user session and potentially enabling further attacks such as credential theft or session hijacking. The weakness is identified as CWE‑79, a classic input validation flaw that permits script injection.

The affected product is the WordPress plugin Display During Conditional Shortcode by gserafini. All plugin versions up to and including 1.2 are vulnerable. Users should confirm they are not running these versions, and audit to ensure no old copies remain in their installations.

With a CVSS score of 6.4 the vulnerability represents a moderate severity. The EPSS score of less than 1% indicates a low likelihood of exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. The attack requires authenticated access with contributor or higher privileges, suggesting the likely vector is a legitimate user performing normal plugin operations that store malicious payloads. Once injected, the script runs client‑side for any visitor to the affected page, potentially compromising a high number of users if the page receives significant traffic.