The Chris Mok GNA Search Shortcode plugin versions up to 0.9.5 contain a stored cross-site scripting vulnerability due to improper input neutralization during web page generation. This vulnerability allows an attacker with low privileges and requiring user interaction to inject malicious scripts that can affect confidentiality, integrity, and availability to a limited extent. The CVSS 3.1 vector indicates network attack vector, low attack complexity, low privileges required, user interaction required, and scope changed, with low impact on confidentiality and integrity and low impact on availability.

Successful exploitation could allow an attacker to execute arbitrary scripts in the context of the affected web application, potentially leading to limited disclosure or modification of data and partial disruption of service. The impact is rated medium severity with a CVSS score of 6.5. There are no reports of active exploitation in the wild.

No official patch or vendor advisory is currently available for this vulnerability. Patch status is not yet confirmed—check the vendor advisory for current remediation guidance. Until a patch is released, users should consider restricting access to the affected plugin functionality and monitor for suspicious activity related to stored XSS. Avoid exposing the plugin to untrusted users where possible.