CVE-2026-9200
Deferred Deferred - Pending Action
Local File Inclusion in WordPress Query Shortcode Plugin

Publication date: 2026-05-27

Last updated on: 2026-05-27

Assigner: Wordfence

Description
The Query Shortcode plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 0.2.1 via the shortcode function. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-27
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-9200
EUVD
EUVD-2026-32062
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wordfence query_shortcode to 0.2.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-98 The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Query Shortcode plugin for WordPress has a Local File Inclusion vulnerability in all versions up to and including 0.2.1. This vulnerability exists in the shortcode function and allows authenticated users with contributor-level access or higher to include and execute arbitrary PHP files on the server.

By exploiting this, attackers can run any PHP code contained in those files, potentially bypassing access controls and gaining unauthorized capabilities.

Compliance Impact

The vulnerability allows authenticated attackers with contributor-level access to execute arbitrary PHP code on the server, which can lead to bypassing access controls and obtaining sensitive data.

Such unauthorized access and potential data exposure could negatively impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls to protect sensitive information.

However, the provided information does not explicitly detail the compliance implications or specific regulatory impacts.

Impact Analysis

This vulnerability can have severe impacts including unauthorized code execution on the server, which may lead to full compromise of the affected WordPress site.

  • Bypass of access controls
  • Execution of arbitrary PHP code
  • Potential exposure or theft of sensitive data
  • Compromise of site integrity and availability
Mitigation Strategies

To mitigate this vulnerability, you should update the Query Shortcode plugin for WordPress to a version later than 0.2.1 where the Local File Inclusion issue is fixed.

Additionally, restrict contributor-level access and above to trusted users only, as the vulnerability requires authenticated access at that level.

Consider disabling or removing the vulnerable plugin if an immediate update is not available.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9200. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart