The Shortcodes Ultimate plugin for WordPress, also known as the WP Shortcodes Plugin, has a security vulnerability that allows attackers to inject harmful web scripts. This is possible through the use of the ‘note_color’ shortcode, which is not properly checked for dangerous code. This means that anyone with contributor-level access or higher can insert malicious scripts into pages, which will then run whenever a user visits that page.