The Power Charts Lite plugin for WordPress suffers from a stored XSS vulnerability via the 'id' attribute of the [pc] shortcode. The pc_shortcode() function extracts the 'id' parameter from user input and inserts it directly into an HTML div element's class attribute without sanitization or escaping. The HTML is then passed through html_entity_decode(), further weakening defenses against script injection. This flaw allows authenticated users with Contributor or higher privileges to inject arbitrary scripts that execute in the context of any user viewing the compromised page. The vulnerability affects all versions up to and including 0.1.0. No patch or official remediation has been published as of the data provided.

An attacker with Contributor-level or higher access can exploit this vulnerability to inject malicious JavaScript into pages using the [pc] shortcode. This script executes in the browsers of users who view the infected page, potentially leading to session hijacking, defacement, or other client-side attacks. The vulnerability has a CVSS 3.1 base score of 6.4 (medium severity), reflecting network attack vector, low attack complexity, and privileges required. There is no indication of known exploits in the wild at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict Contributor-level access to trusted users only and avoid using the vulnerable shortcode with untrusted input. Monitor vendor channels for updates and apply patches promptly once released.