The vulnerability originates from the Tour & Activity Operator Plugin for TourCMS, a WordPress plugin, where the 'target' attribute of the tourcms_doc_link shortcode is insufficiently sanitized and escaped. When an authenticated user with Contributor level or higher supplies malicious input in this attribute, the data is stored and rendered in future page views, enabling the attacker to inject and execute arbitrary JavaScript code on browsers that load those pages. This can lead to phishing, theft of sensitive information, or manipulation of page content. The weakness is identified as CWE‑79, causing a significant impact on confidentiality and integrity of the site contents for all users who view the affected pages.

The affected product is the Tour & Activity Operator Plugin for TourCMS, version 1.7.0 and all earlier releases. The plugin operates within WordPress installations, and the vulnerability exists in the shortcode handling logic used by site administrators and contributors to embed tour information links.

The CVSS score of 6.4 reflects a moderate severity with potential for client‑side impact. No EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog. Because the exploit requires authentication at the Contributor level or higher, it is not publicly exploitable by unauthenticated users, but internal or compromised accounts can trigger the attack path by inserting malicious code into the shortcode via the admin or content editor interfaces.