The Ed's Social Share plugin for WordPress is susceptible to a stored cross‑site scripting flaw contained in the social_share shortcode. In all releases up to and including version 2.0, attributes supplied to that shortcode are not properly validated or escaped, enabling attackers who are authenticated with contributor level or higher to inject arbitrary JavaScript code. When a user views a page or post containing the malicious shortcode, the embedded script executes in the visitor's browser, potentially allowing defacement, data theft, or session hijacking. This weakness aligns with the Cross‑Site Scripting category defined by CWE‑79.

Any WordPress site that has the Ed's Social Share plugin installed with a version number 2.0 or older is affected. Site administrators must review current installations, as all contributors or higher users possess the privilege to add or edit posts and pages that may contain the vulnerable shortcode.

The CVSS v3.1 score of 6.4 places this vulnerability in the moderate severity range. Exploitation requires only authenticated access at the contributor level or higher, which is a common role in many sites, thereby enlarging the potential attack surface. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog, and no exploit probability data is available, indicating that the exact likelihood of exploitation is unknown. However, the flaw is straightforward to exploit: an attacker simply inserts malicious content into shortcode attributes, and the payload is stored and executed for every subsequent visitor of that page or post.