The VI: Include Post By WordPress plugin contains a stored cross‑site scripting vulnerability that arises when the 'class_container' attribute of the 'include-post-by-cat' shortcode is not properly sanitized or escaped. This flaw allows an attacker with contributor‑level access or higher to inject arbitrary JavaScript code that will be executed by any user who views the page containing the malicious content. The weakness is a classic input validation and output encoding issue classified as CWE‑79.

WordPress sites running the VI: Include Post By plugin, versions up to and including 0.4.200706, are affected. The plugin, developed by Knighthawk, is distributed through the WordPress plugin repository. Any site that has installed or upgraded the plugin to a version older than or equal to 0.4.200706 may be vulnerable, regardless of the WordPress core version.

The vulnerability scores a moderate severity (CVSS 6.4) and lacks an available EPSS score, indicating uncertainty about exploitation frequency. It is not listed in the CISA KEV catalog. Attackers must be authenticated with at least contributor privileges and must be able to insert or edit shortcodes on the site. Once a malicious snippet is stored, any authenticated or unauthenticated visitor to the affected page will run the injected code, potentially leading to session hijacking, data theft, or defacement. Because the injection occurs through a commonly used shortcode, the attack surface is significant across dozens of sites that rely on this plugin.