The Text Snippets plugin contains a stored cross‑site scripting flaw in the ‘ts’ shortcode that arises from inadequate input sanitization and output escaping of user‑supplied attributes. The problem is a typical CWE‑79 vulnerability that lets attackers inject arbitrary JavaScript which will run in the browsers of any user who views the affected page. This can lead to theft of session cookies, defacement, or redirection to malicious sites. The risk is limited to the context of the WordPress site where the plugin is installed, but it can be leveraged to compromise all visitors who access the injected content.

The vulnerability affects the snedled:Text Snippets WordPress plugin. All released versions of the plugin up to and including 0.0.1 are impacted. No other WordPress core or plugin versions are listed as affected.

The CVSS score of 6.4 indicates moderate severity. EPSS data is not available, and the advisory is not listed in the CISA KEV catalog. The flaw requires the attacker to have at least contributor‑level authentication, meaning the attacker must log in with a WordPress account that has permission to add or edit snippets. Once authenticated, the attacker can embed malicious code that will execute in the browsers of all users who open the injected page. Because it is an authenticated attack vector, mitigation through role management or strict permission handling can reduce exploitation risk, but the most secure remedy is to patch or remove the vulnerable plugin.