Shortcodes Ultimate
Moderate fix1 remedy
cpe:2.3:a:getshortcodes:shortcodes_ultimate:*:*:*:*:wordpress:*:*
Moderate fix1 remedy
- <= 7.4.2
WP Shortcodes Plugin Shortcodes Ultimate Stored Cross-Site Scripting Vulnerability
Vulnerability
Patched
A stored cross-site scripting vulnerability has been identified in the WP Shortcodes Plugin - Shortcodes Ultimate for WordPress, affecting all versions through 7.4.2. The issue arises from inadequate input sanitization and output escaping of user-supplied attributes in the plugin's shortcodes. This vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages, which are executed when users access the affected pages.
Impact
Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the page.
Reproduction
To reproduce this vulnerability, an authenticated user with contributor-level access or higher can use the Shortcodes Ultimate plugin to create a shortcode that includes unsanitized user input. The injected script will be executed when the page is viewed.
Remediation
Users are advised to update the WP Shortcodes Plugin - Shortcodes Ultimate to version 7.4.3 or a newer patched version.
Added: Jul 21, 2025, 8:19 AM
Updated: Jul 21, 2025, 8:19 AM
Vulnerability Rating
Custom Algorithm
spread
6.4impact
1.7exploitability
6.4remediation
7.7relevance
0.3threat
4.8urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.