The Consensus Embed plugin for WordPress fails to properly sanitize input and escape output for attributes used in its consensus shortcode. This vulnerability is classified as Stored Cross-Site Scripting (XSS) because it allows an attacker with at least contributor-level access to inject malicious JavaScript code into pages or posts. Once the code is stored, it executes whenever any user accesses the affected page, enabling theft of cookies, defacement of content, or even privilege escalation. SMany WordPress site users and visitors could potentially be affected depending on the extent of the script injected. This vulnerability highlights the critical importance of rigorous input validation and output sanitization in plugin development.

To mitigate this vulnerability, implement comprehensive input validation strategies to sanitize inputs and escape outputs in the plugin's shortcode attributes. Website administrators should limit access to user roles like contributors, ensuring only trusted users have access. Regularly reviewing and applying security best practices across all plugins can reduce such vulnerabilities.