The DA Media GigList plugin for WordPress contains a stored cross‑site scripting vulnerability in its damedia_giglist shortcode. Unsanitized user supplied attributes, particularly list_title, are stored and later rendered without proper escaping. An attacker who possesses contributor‑level or higher credentials can inject malicious scripts that will run in the browsers of any user who views a page containing the affected shortcode. This flaw compromises client‑side confidentiality, integrity, and non‑repudiation, and may lead to session hijacking or further exploitation of vulnerable sites.

All installations of DA Media GigList up to and including version 1.9.0 that are enabled on a WordPress site are affected. Only authenticated users with contributor or higher permissions can abuse the flaw, and the payload is stored and executed whenever a page rendering the damedia_giglist shortcode is accessed by any visitor.

The CVSS vector assigns a score of 6.4, indicating moderate severity. The EPSS metric is reported as less than 1 %, implying a low current exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to be a contributor on the target WordPress installation and to submit a mangled list_title value; once stored, the code will execute on every page load for the shortcode, affecting all site visitors. While the exposure is limited to authenticated contributors, the impact on end‑users can be significant, and the low EPSS suggests that it has not yet been widely abused.