The Citations tools plugin for WordPress contains a stored cross‑site scripting flaw in the code attribute of the ctdoi shortcode. The bug stems from insufficient input sanitization and output escaping of user‑supplied attributes. Authenticated users with Contributor-level privileges can inject arbitrary JavaScript that is executed whenever a page containing the malicious shortcode is viewed by any user. This can lead to session hijacking, defacement or redirection of victims and undermines the confidentiality, integrity, and availability of the site content.

All versions of the Citations tools WordPress plugin up to and including 0.3.2 are affected. The plugin is maintained by the maintainer ulaulaman and is installed on WordPress sites via the standard plugin repository. Sites using older releases must review their installation for these versions.

The vulnerability scores 6.4 on the CVSS v3.1 base metric, indicating moderate severity, and has an EPSS score of less than 1 %, suggesting a low probability of being actively exploited in the wild. It is not listed in the CISA KEV catalog. Attackers can exploit the flaw only after authenticating with Contributor or higher capabilities, so the impact is limited to sites where such permissions are granted. Given the authentication requirement, the threat is less widespread, but once compromised, the stored scripts run in the context of any visitor, making the risk non‑negligible for sites that rely on the plugin.