The Shortcodes Ultimate WordPress plugin before 5.10.2 allows users with Contributor roles to perform stored XSS via shortcode attributes. Note: the plugin is inconsistent in its handling of shortcode attributes; some do escape, most don’t, and there are even some attributes that are insecure by design (like [su_button]'s onclick attribute).
[
{
"product": "WordPress Shortcodes Plugin — Shortcodes Ultimate",
"vendor": "Unknown",
"versions": [
{
"lessThan": "5.10.2",
"status": "affected",
"version": "5.10.2",
"versionType": "custom"
}
]
}
]