The CodePen Embedded Pens Shortcode plugin suffers from a stored XSS vulnerability due to improper input sanitization during web page generation. This flaw allows attackers with at least low privileges and requiring user interaction to inject malicious scripts that can execute in the context of affected users' browsers. The vulnerability affects all versions up to 1.0.2. The CVSS vector indicates network attack vector, low attack complexity, low privileges required, user interaction needed, scope changed, and impacts on confidentiality, integrity, and availability at a low level.

Successful exploitation could allow an attacker to execute arbitrary scripts in the context of the affected website, potentially leading to data disclosure, modification, or disruption of service. The impact is rated medium based on the CVSS score of 6.5. There are no reports of active exploitation in the wild.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider disabling or removing the affected plugin to mitigate risk. Monitor vendor channels for updates or patches addressing this vulnerability.