During routine plugin testing, we discovered a critical security vulnerability in the Shortcodes Ultimate plugin for WordPress which has 600,000+ installations. This plugin, widely used for adding powerful shortcodes to enhance website functionality, is currently vulnerable to a severe security flaw that could potentially allow attackers to exploit and gain unauthorized access to your WordPress site.

The exploit allows contributors to embed malware JavaScript code into new posts via shortcode, subsequently facilitating admin account creation. By exploiting this flaw, attackers can gain unauthorized access and wreak havoc on websites.

Vulnerability detailed CVE on WPScan: https://wpscan.com/vulnerability/9eef8b29-2c62-4daa-ae90-467ff9be18d8.

How to secure your site from the vulnerability

Don’t rush to delete the plugin. To mitigate the risk you should just update your Shortcodes Ultimate plugin to the latest version. Additionally, implementing robust security measures, such as regular vulnerability assessments and user role restrictions, can fortify defenses against XSS attacks.

Critical Security Vulnerability in Shortcode Ultimate Plugin for WordPress

Related posts

2Vulnerability in the CleanTalk Anti-Spam plugin for WordPress CleanTalk Security IconCVE-2023-4289 – WP Matterport Shortcode < 2.1.8 - Contributor+ Stored XSS via shortcode vulnerabilites1Revealing Vulnerabilities: The All-in-One SEO Plugin Dilemma Default ThumbnailCleanTalk Web Application FireWall for WordPress Security Plugin CleanTalk Security IconCVE-2023-4646 – Simple Posts Ticker < 1.1.6 - Contributor + Stored XSS via shortcode CleanTalk Security IconCVE-2023-4795 – Testimonial Slider Shortcode < 1.1.9 - Contributor+ Stored XSS инфографика 5 1CleanTalk Security Plugin Tools for WordPress
Tagged on:         

Leave a Reply

Your email address will not be published. Required fields are marked *