Executive Summary

The WP Shortcodes Plugin - Shortcodes Ultimate plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in the su_carousel shortcode in all versions up to and including 7.4.8.

This vulnerability arises because the plugin does not properly sanitize and escape input in the 'su_slide_link' attachment meta field.

As a result, authenticated users with author-level access or higher can inject malicious web scripts into pages. These scripts execute whenever any user accesses the affected page.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows attackers with author-level access or above to inject arbitrary scripts into web pages via the su_carousel shortcode.

When other users visit these pages, the injected scripts execute in their browsers, potentially leading to theft of sensitive information, session hijacking, or other malicious actions.

Because the vulnerability is a Stored Cross-Site Scripting issue, the malicious code persists on the site and affects all visitors to the compromised pages.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate the CVE-2026-0738 vulnerability in the Shortcodes Ultimate WordPress plugin, you should update the plugin to version 7.4.9 or later.

This update includes a fix that sanitizes the slide link URLs in the carousel shortcode by using the esc_url() function, preventing malicious scripts from being injected and executed.

• Check your current version of the Shortcodes Ultimate plugin.
• If running version 7.4.8 or earlier, upgrade immediately to version 7.4.9 or later.
• Ensure that only trusted users have author-level or higher access to your WordPress site to reduce risk.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows authenticated attackers with author level access to inject arbitrary web scripts that execute when users access the affected pages. This Stored Cross-Site Scripting (XSS) flaw can lead to unauthorized access to user data or session hijacking.

Such security weaknesses can impact compliance with standards like GDPR and HIPAA, which require protection of personal data and secure handling of user information to prevent unauthorized access or data breaches.

Failure to address this vulnerability could result in non-compliance due to potential exposure of sensitive data or compromise of user privacy through malicious script execution.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves Stored Cross-Site Scripting (XSS) via the su_carousel shortcode in the Shortcodes Ultimate WordPress plugin versions up to 7.4.8. Detection typically involves identifying if your WordPress installation uses this plugin version and if the su_carousel shortcode is present with potentially malicious input in the 'su_slide_link' attachment meta field.

Since the vulnerability is related to unsanitized URLs in slide links, you can detect it by checking the plugin version and scanning for suspicious or malformed URLs in the carousel slides.

Suggested commands to detect the vulnerable plugin version and potentially malicious content include:

• Check the plugin version via WP-CLI: `wp plugin list | grep shortcodes-ultimate`
• Search the WordPress database for suspicious slide link URLs in the post meta or options tables, for example using MySQL commands or WP-CLI: `wp db query "SELECT * FROM wp_postmeta WHERE meta_key LIKE '%su_slide_link%' AND meta_value LIKE '%<script>%'"`
• Use web vulnerability scanners or security plugins that can detect stored XSS in WordPress content.

Useful 0 Not Useful 0