What the vulnerability does
01Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in kevin heath Tripadvisor Shortcode tripadvisor-shortcode allows Stored XSS.This issue affects Tripadvisor Shortcode: from n/a through <= 2.2.
Explanation of Vulnerability in Simple Terms
02Summary
The Tripadvisor Shortcode plugin for WordPress contains a cross-site scripting (XSS) vulnerability in versions 2.2 and earlier. An authenticated administrator can inject malicious scripts through the plugin's shortcode handling. When another user views a page containing the affected shortcode, the injected script executes in their browser, potentially compromising their session or stealing sensitive data.
What an attacker can do
03Attacker Capabilities
Inject malicious JavaScript that executes when other users view pages with the affected shortcode.
Potential impact on your site
04Site Impact
An admin account compromise could allow an attacker to inject scripts affecting all site visitors, risking credential theft or malware distribution.
Conditions required to exploit
05Prerequisites
Attacker must have administrator privileges and a victim must view a page containing the malicious shortcode.
Key dates
06Disclosure timeline
August 28, 2025
CVE published
April 28, 2026
Record updated