Impact
The vulnerability is a contributor‑based cross‑site scripting flaw that allows malicious content to be injected through the Surbma Yoast SEO Breadcrumb Shortcode plugin. The plugin fails to properly escape or validate input supplied via its shortcode, enabling an attacker to embed arbitrary JavaScript. If executed in a visitor's browser, the attacker can steal session cookies, deface pages, or redirect users, compromising confidentiality and integrity.
Affected Systems
The weakness exists in any installation of the Surbma Yoast SEO Breadcrumb Shortcode WordPress plugin version 1.2 or earlier. Administrators who have deployed these versions on their sites are susceptible.
Risk and Exploitability
With a CVSS score of 6.5 the flaw is a medium‑severity risk. The EPSS score is not available, and it is not listed in the CISA KEV catalog, indicating no known widespread exploits at this time. The attack vector is likely remote: an attacker injects the malicious payload through the shortcode, which is rendered when other users view the page. Therefore, any user who can edit content with the plugin or anyone who visits a page containing the shortcode is at risk.
OpenCVE Enrichment