CVE-2026-0737
Stored XSS in WP Shortcodes Ultimate Plugin Allows Script Injection
Publication date: 2026-04-04
Last updated on: 2026-04-04
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| shortcodes_ultimate | shortcodes_ultimate | to 7.4.7 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability CVE-2026-0737 affects the WP Shortcodes Plugin - Shortcodes Ultimate for WordPress, specifically in all versions up to and including 7.4.7. It is a Stored Cross-Site Scripting (XSS) vulnerability caused by insufficient input sanitization and output escaping in the 'src' attribute of the su_lightbox shortcode.
Authenticated attackers with contributor level access or higher can exploit this flaw by injecting arbitrary web scripts into pages via the 'src' attribute. These scripts then execute whenever any user accesses the injected page.
Technically, the vulnerability arises because the 'src' attribute accepts URLs or CSS selectors that are only partially validated by checking their prefix (e.g., starting with '.', '#', 'http://', or 'https://'). This limited validation allows malicious scripts to be embedded in the data attributes used by the lightbox JavaScript, leading to XSS.
How can this vulnerability impact me? :
This vulnerability can allow an attacker with contributor-level access or higher to inject malicious scripts into your WordPress site pages. These scripts will execute in the browsers of users who visit the affected pages.
- Execution of arbitrary JavaScript code in users' browsers.
- Potential theft of user session cookies or credentials.
- Defacement or unauthorized modification of website content.
- Redirection of users to malicious websites.
- Compromise of user trust and site reputation.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by identifying if the WordPress site is using the Shortcodes Ultimate plugin version 7.4.7 or earlier, which contains the vulnerable lightbox shortcode.
To detect potential exploitation attempts, you can look for HTTP requests containing the su_lightbox shortcode with suspicious or malformed 'src' attributes that include scripts or unusual URL schemes.
Suggested commands to detect the vulnerability or exploitation attempts include:
- Search for the plugin version in the WordPress installation: `grep -r 'Version: 7.4.7' wp-content/plugins/shortcodes-ultimate/`
- Scan WordPress posts or pages for the vulnerable shortcode usage with suspicious 'src' attributes: `wp post list --post_type=page,post --field=ID | xargs -I % wp post get % --field=post_content | grep -i '\[su_lightbox.*src=.*script'`
- Monitor web server logs for requests containing the su_lightbox shortcode or unusual parameters in URLs that might indicate attempts to inject scripts.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Shortcodes Ultimate plugin to version 7.4.8 or later, where the vulnerability has been addressed by improving input sanitization and validation of the 'src' attribute in the lightbox shortcode.
If updating immediately is not possible, restrict contributor-level users from adding or editing content that uses the su_lightbox shortcode to prevent exploitation.
Additionally, implement Web Application Firewall (WAF) rules to detect and block attempts to inject malicious scripts via the 'src' attribute in the shortcode.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability CVE-2026-0737 is a Stored Cross-Site Scripting (XSS) issue in the WP Shortcodes Plugin - Shortcodes Ultimate for WordPress. This type of vulnerability can lead to unauthorized script execution in the context of a user's browser, potentially exposing sensitive user data or allowing unauthorized actions.
While the provided context does not explicitly mention compliance with standards such as GDPR or HIPAA, Stored XSS vulnerabilities generally pose risks to data confidentiality and integrity. Such risks can lead to non-compliance with regulations that require protection of personal data and secure handling of user information.
Therefore, organizations using this plugin without mitigation may face challenges in maintaining compliance with data protection regulations due to the potential for data exposure or unauthorized access resulting from this vulnerability.