WordPress Core, the software powering many websites, includes a feature called “shortcodes”. In versions up to, and including, 6.2, shortcodes can be used in user-generated content on “block themes”. If an attacker finds a vulnerability in WordPress Core, such as one that requires Subscriber or Contributor-level permissions, they can use shortcodes to exploit it. Even on its own, this vulnerability could have minimal impact, but it can make other vulnerabilities more severe.