The Schema Shortcode plugin for WordPress contains a flaw that allows authenticated users with contributor-level access and higher to store arbitrary JavaScript payloads via the plugin’s itemscope shortcode. The vulnerability arises from insufficient sanitization and escaping of user-supplied attributes, meaning that any injected script will execute in the browser of any visitor who loads a page containing the shortcode. Compromise of a user’s session, theft of credentials, and defacement of site content are all possible outcomes of this stored XSS flaw.

This weakness affects all installations of the jeric_izon Schema Shortcode plugin, specifically versions up to and including 1.0. The plugin is used as a WordPress add‑on, so any WordPress site running the affected version is susceptible.

The CVSS score of 6.4 places the vulnerability in the moderate severity range. While no EPSS score is available, the lack of a KEV listing suggests that exploitation is not yet widespread, yet the bounds of the vulnerability are well understood. Attackers only need a contributor or higher role to inject malicious code, and the stored nature of the payload means the script will run for all site visitors until the code is removed. The combination of moderate severity, absence of a known public exploit, and the need for legitimate user credentials places this risk in a medium priority bracket for sites that allow contributor access.