The shortcodes-ultimate-pro WordPress plugin before 7.1.5 does not properly escape some of its shortcodes’ settings, making it possible for attackers with a Contributor account to conduct Stored XSS attacks.
[
{
"cpes": [
"cpe:2.3:a:getshortcodes:shortcodes_ultimate:*:*:*:*:*:wordpress:*:*"
],
"vendor": "getshortcodes",
"product": "shortcodes_ultimate",
"versions": [
{
"status": "affected",
"version": "0",
"lessThan": "7.1.5",
"versionType": "custom"
}
],
"defaultStatus": "unknown"
}
]