The ePaperFlip Publisher plugin contains a stored XSS flaw that stems from failure to sanitize the 'publicationid' attribute of the epaperflip_embed shortcode. Because the attribute value is injected directly into inline JavaScript, an authenticated user with Contributor privileges can place malicious script code that will run in the browser of any subsequent viewer of a page containing the shortcode. This results in the attacker’s script executing in the context of the site, which could lead to theft of session cookies, user impersonation, defacement, or other malicious actions, depending on the privileges of the compromised visitor.

All WordPress installations that use the ePaperFlip Publisher plugin version 1.0 or earlier are affected. The vulnerability targets the plugin’s shortcode processing code, which is part of the plugin bundled with WordPress sites. The only versions mentioned in the CNA data are up to 1, so any deployment still on that release is at risk.

The CVSS score of 6.4 reflects moderate severity. There is no EPSS data available, and the vulnerability is not listed as a known exploited vulnerability by CISA. The flaw requires the attacker to be logged in with Contributor or higher rights, so it is limited to privileged users or compromised accounts. Once the malicious payload is stored, every page visitor loads the injected JavaScript, making the impact wide inside the site. Based on the description, it is inferred that the likely attack vector is a stored XSS triggered by a shortcode attribute, requiring the attacker to first author a post with the compromised shortcode; if that is possible, the exploit is straightforward and does not require network bypass or exploit code, making it relatively easy to deploy in environments lacking strict input control.