The CubeWP Framework is vulnerable to a stored cross‑site scripting flaw that arises when the cubewp_shortcode_taxonomy shortcode is used with malicious attribute values. The weakness stems from insufficient input sanitization and output escaping, allowing an attacker who can add or edit a shortcode to insert arbitrary JavaScript that will run in the browsers of any user who views the affected page. This type of injection can be used to deface a site, steal credentials, session cookies, or perform other malicious actions within the victim’s browser context. The flaw does not grant the attacker direct control of the underlying server or filesystem, but it does allow a contributor‑level attacker to compromise the confidentiality and integrity of page content and potentially impact other users who interact with the compromised page.

CubeWP Framework, all releases up to and including 1.1.26 are affected. Users running any of these versions are at risk if they can insert or edit the cubewp_shortcode_taxonomy shortcode.

This vulnerability scores 6.4 on the CVSS scale, indicating a moderate risk level. The EPSS score is below 1%, suggesting that exploitation is currently unlikely, and the flaw is not listed in the CISA KEV catalog. Exploitation requires authenticated access with contributor or higher privileges, and the attacker must be able to place the malicious shortcode in a page that is subsequently viewed by other users. Because the vulnerability is client‑side, it mainly affects user sessions and content integrity rather than system compromise.