The Endless Scroll plugin allows stored cross‑site scripting through its shortcode attributes because it does not properly sanitize user input or escape output. An authenticated user with contributor–level access or higher can provide a malicious attribute that is then saved to the database. When a page using that shortcode is rendered, the malicious code executes in the browser of any visitor to the page, enabling attackers to deface content, steal credentials, or redirect users to phishing sites. The vulnerability is a classic input validation flaw identified as CWE‑79.

Any WordPress installation that has the Endless Scroll plugin installed in a version up to and including 1.0.0 is affected. This includes all sites that have installed the plugin, regardless of other security settings, as long as the user does not have a later, patched release of the plugin.

The CVSS score of 6.4 indicates moderate severity, and the EPSS score is not available, so the exact exploitation likelihood is unknown. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires that an attacker be authenticated with contributor‑level or higher access, and the target site must have the vulnerable plugin installed. Once the attacker submits a crafted shortcode attribute, it is stored in the database and later rendered unescaped in the page output. The attack vector is web‑based and can be performed from any location that can reach the site.