The Simple Shopping Cart plugin for WordPress allows attackers with contributor-level access to supply arbitrary script code through the 'wpsc_display_product' shortcode. The plugin fails to properly sanitize or escape user‑supplied attributes, enabling the placement of malicious scripts that persist across pages. When an affected page is viewed, the injected code executes within the browser context of any visitor, potentially leading to session hijacking, defacement, or the execution of additional malicious payloads. The weakness is a classic stored cross‑site scripting flaw (CWE‑79) that directly compromises the confidentiality of user data and the integrity of the site’s content.

This vulnerability impacts installations of the Simple Shopping Cart plugin for WordPress with versions up to and including 5.2.4. Sites that have deployed any of these versions and grant contributor or higher permissions to any user profile are potentially exposed. The plugin is developed by mra13 and is integrated into WordPress core as a third‑party extension.

The CVSS score of 6.4 indicates a medium severity rating, which aligns with the scope of the flaw—only users with contributor-level or higher privileges can inject the payload, and the impact is limited to browsers that visit the affected pages. No EPSS score is available, but the absence of a listing in the CISA KEV catalog suggests the vulnerability has not yet been widely exploited at the time of reporting. The likely attack vector is web‑based, relying on authenticated access to the plugin’s shortcode editor; once the script is injected, it becomes automatically executed for all users who view the rendered page.