Can you explain this vulnerability to me?

The Bootstrap Shortcode plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in its `box` shortcode. This vulnerability exists in all versions up to and including version 1.0 due to insufficient input sanitization and output escaping of user-supplied attributes.

Authenticated users with Contributor-level access or higher can exploit this flaw to inject arbitrary web scripts into pages. These scripts will execute whenever any user accesses the injected page, potentially compromising user sessions or data.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability allows attackers with Contributor-level access or above to inject malicious scripts into WordPress pages. When other users visit these pages, the scripts execute in their browsers, which can lead to theft of sensitive information, session hijacking, or unauthorized actions performed on behalf of users.

Because the attack is stored, the malicious code persists on the site and affects all visitors to the compromised pages, increasing the potential impact.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

The Bootstrap Shortcode plugin for WordPress has been temporarily closed and is no longer available for download as of May 6, 2026.

Immediate mitigation steps include uninstalling or disabling the Bootstrap Shortcode plugin if it is currently active on your WordPress site to prevent exploitation of the stored cross-site scripting vulnerability.

Additionally, restrict Contributor-level access and above to trusted users only, as the vulnerability requires authenticated users with such privileges to exploit.

Useful 0 Not Useful 0