CVE-2024-2583

The CVE-2024-2583 entry concerns the WordPress plugin Shortcodes Ultimate (versions before 7.0.5). The vulnerability is a Stored XSS flaw caused by insufficient escaping of certain shortcode attributes before echoing back to users. Impactful for users with the Contributor role; requires user inte...

CVE-2023-6225

CVE-2023-6225 affects the WordPress plug‑in WP Shortcodes Plugin — Shortcodes Ultimate and is a stored XSS vulnerability in the su_meta shortcode when combined with post meta data. Affected versions are up to 5.13.3; exploitation requires at least contributor privileges and occurs via insufficien...

CVE-2024-1808

CVE-2024-1808 affects the WordPress WP Shortcodes Plugin — Shortcodes Ultimate. It describes a Stored Cross-Site Scripting (XSS) in the plugin’s su_qrcode shortcode for all versions up to 7.0.3, caused by insufficient input sanitization and output escaping on user-supplied attributes. Exploitatio...

CVE-2024-0792

CVE-2024-0792 affects the WordPress WP Shortcodes Plugin — Shortcodes Ultimate up to version 7.0.1. The issue is stored XSS via the plugin’s shortcodes in RSS feed content due to insufficient input sanitization and output escaping. Exploitation requires authentication at contributor level or high...

CVE-2023-0911

The CVE concerns the WordPress plugin Shortcodes Ultimate (before 5.12.8). The vulnerability arises because the plugin does not validate the user meta returned by the user shortcode, allowing any authenticated user (e.g., subscriber) to retrieve arbitrary user metadata (excluding user_pass), such...

CVE-2024-1510

CVE-2024-1510: WP Shortcodes Plugin — Shortcodes Ultimate is affected by a stored XSS via the su_tooltip shortcode in all versions up to 7.0.2. The issue stems from insufficient input sanitization and output escaping on user-supplied attributes and tags, enabling authenticated attackers with cont...

CVE-2024-3188

CVE-2024-3188 affects the WordPress plugin Shortcodes Ultimate (Shortcodes Plugin) up to version 7.0.x (pre-7.1.0). The issue is a lack of validation/escaping of certain shortcode attributes, which are output back into the page/post containing the shortcode. This can enable Stored Cross-Site Scri...

CVE-2023-6226

CVE-2023-6226 affects the WordPress plugin WP Shortcodes Plugin – Shortcodes Ultimate, versions ≤ 5.13.3. The issue is an Insecure Direct Object Reference (IDOR) in the su_meta shortcode caused by missing validation of user-controlled keys key and post_id. This allows authenticated users with con...

CVE-2023-0890

The CVE-2023-0890 entry concerns the WordPress Shortcodes Plugin — Shortcodes Ultimate prior to version 5.12.8. The vulnerability allows authenticated users (e.g., subscribers) to view posts that should not be public (draft, private, password-protected) and may also leak the password of protected...

CVE-2017-18580

The CVE-2017-18580 entry concerns WordPress Shortcodes Ultimate plugin before 5.0.1. The connected documents provide concrete details: remote code execution via a filter vulnerability in the meta/post/user shortcodes (su_meta, su_post, su_user). The exploitable condition requires crafted shortcod...

CVE-2022-38086

CVE-2022-38086 affects the WordPress plugin Shortcodes Ultimate

CVE-2023-6488

CVE-2023-6488 concerns the WP Shortcodes Plugin — Shortcodes Ultimate for WordPress. The issue is a stored cross-site scripting (XSS) vulnerability in the plugin’s shortcodes (su_button, su_members, su_tabs) present in all versions up to 7.0.0. The root cause is insufficient input sanitization an...

CVE-2024-3548

CVE-2024-3548 affects the WordPress plugin “WP Shortcodes Plugin — Shortcodes Ultimate” (versions prior to 7.1.2). The issue is that a parameter is not properly sanitized/escaped before being echoed in the page, resulting in a Reflected Cross-Site Scripting vulnerability that could target high-pr...

CVE-2022-41136

The CVE-2022-41136 entry concerns the WordPress Shortcodes Ultimate plugin, specifically versions

CVE-2024-3550

CVE-2024-3550 affects the WP Shortcodes Plugin — Shortcodes Ultimate for WordPress. The description specifies a Stored XSS via shortcode attributes in all versions up to 7.1.2, exploitable by authenticated users with contributor-level access or higher, allowing arbitrary scripts to execute on pag...

CVE-2024-8500

CVE-2024-8500 affects the WordPress plugin “WP Shortcodes Plugin — Shortcodes Ultimate” (versions

CVE-2023-23800

CVE-2023-23800 concerns the WordPress plugin “WP Shortcodes Plugin — Shortcodes Ultimate” (versions

CVE-2024-4217

CVE-2024-4217 affects the Shortcodes Ultimate Pro WordPress plugin prior to 7.1.5, where improper escaping of shortcode settings enables Stored XSS for attackers with a Contributor account. Red Hat confirms the same issue; PatchSTACK notes the fix is in 7.1.5. No exploitation status is provided i...

CVE-2024-4821

Technical details beyond this entry are not provided in the supplied documents; monitor for updates from vendors/advisories.

CVE-2024-4553

CVE-2024-4553 affects the WordPress plugin WP Shortcodes Plugin — Shortcodes Ultimate. The stored XSS flaw occurs in the su_members shortcode due to insufficient input sanitization and output escaping of the color attribute, exploitable by authenticated users with contributor-level access or high...

CVE-2017-2245

The WordPress plugin Shortcodes Ultimate is affected by CVE-2017-2245: a directory traversal vulnerability in versions prior to 4.10.0. An authenticated administrator can read arbitrary files via crafted requests. Impact is information disclosure on the server. Remediation: upgrade to version 4.1...

CVE-2023-25040

CVE-2023-25040 is a stored Cross-Site Scripting (XSS) vulnerability in the WordPress plugin Shortcodes Ultimate (aka Shortcodes Ultimate) by Vova Anokhin, affecting versions <= 5.12.6. The issue is a stored XSS flaw; the exact root-cause details are not provided in the supplied documents. Publ...

CVE-2021-24525

CVE-2021-24525 concerns the WordPress plugin Shortcodes Ultimate (before 5.10.2). The vulnerability allows users with the Contributor role to perform stored XSS via shortcode attributes due to inconsistent handling/escaping of attributes (some are escaped, many are not; some attributes may be ins...

CVE-2025-5567

CVE-2025-5567 affects the WordPress plugin "WP Shortcodes Plugin — Shortcodes Ultimate" up to version 7.4.0. The root cause is insufficient input sanitization and output escaping for the DOM data-url attribute, enabling stored Cross-Site Scripting. An authenticated attacker with Contributor-level...

CVE-2024-6766

CVE-2024-6766 affects Shortcodes Ultimate Pro for WordPress (before 7.2.1). The vulnerability arises from not validating/escaping certain shortcode attributes before echoing them in pages/posts, enabling Stored XSS by users with the Contributor role or higher. Remediation: upgrade to Shortcodes U...