Shortcodes Ultimate Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via su_tooltip Shortcode – CVE-2024-1510 | WordPress Plugin Vulnerability Report

Plugin Name: Shortcodes Ultimate

Key Information ormation:

  • Software Type: Plugin
  • Software Slug: shortcodes-ultimate
  • Software Status: Active
  • Software Author: gn_themes
  • Software Downloads: 18,644,577
  • Active Installs: 600,000
  • Last Updated: February 19, 2024
  • Patched Versions: 7.0.3
  • Affected Versions: <= 7.0.2

Vulnerability Details:

  • Name: WP Shortcodes Plugin — Shortcodes Ultimate <= 7.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via su_tooltip Shortcode
  • Type: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • CVE: CVE-2024-1510
  • CVSS Score: 6.4 (Medium)
  • Publicly Published: February 19, 2024
  • Researcher: Richard Telleng
  • Description: The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's su_tooltip shortcode in all versions up to, and including, 7.0.2 due to insufficient input sanitization and output escaping on user supplied attributes and user supplied tags. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.


The Shortcodes Ultimate plugin for WordPress has an authenticated stored cross-site scripting vulnerability in versions up to and including 7.0.2 via the su_tooltip shortcode. This allows contributors and above to inject malicious scripts that execute when pages are viewed. The vulnerability has been patched in version 7.0.3.

Detailed Overview:

Researcher Richard Telleng disclosed an authenticated stored cross-site scripting vulnerability in the popular Shortcodes Ultimate WordPress plugin in versions through 7.0.2. The vulnerability exists in the plugin's su_tooltip shortcode due to insufficient input sanitization, allowing authenticated users with at least contributor permissions to supply malicious attributes or tags that could inject arbitrary browser scripts. These injected scripts will execute whenever a user views an affected page, potentially leading to compromised user accounts, site defacements, or further attacks. The plugin developers have patched this medium severity vulnerability in version 7.0.3. Site administrators are urged to update immediately.

Advice for Users:

  1. Immediate Action: Update to Shortcodes Ultimate version 7.0.3 or higher to mitigate this vulnerability.
  2. Check for Signs of Vulnerability: Review page source code and UI for unexpected scripts. Scan core files for unauthorized edits.
  3. Alternate Plugins: Consider alternate shortcode manager plugins like Ultimate Addons for Gutenberg or Advanced Custom Fields.
  4. Stay Updated: Enable auto-updates for plugins when available to receive vulnerability patches rapidly.


Shortcodes Ultimate’s prompt patch availability underscores the importance of timely plugin updates. Users should update to version 7.0.3 as soon as possible to fully mitigate this vulnerability’s threat on WordPress site security.


Detailed Report:

Staying on top of website security is crucial in today's threat landscape. Unfortunately, many WordPress users fail to keep their sites updated, leaving dangerous vulnerabilities unpatched and ready for attackers to exploit. This was the case with a recently disclosed flaw in the popular Shortcodes Ultimate plugin which allowed authenticated users to inject malicious code into pages. While the plugin developers have now issued a patch, outdated sites remain at risk.

Shortcodes Ultimate is an extremely popular WordPress plugin installed on over 600,000 sites to easily add styled boxes, buttons, notifications, and other custom features using shortcodes. On February 19th, security researcher Richard Telleng disclosed a serious vulnerability affecting Shortcodes Ultimate versions up to and including 7.0.2.

The vulnerability exists in the plugin's su_tooltip shortcode, which displays a tooltip or popup text when users hover over specific content. Due to insufficient sanitization of attributes and tags in the shortcode, those with contributor access or higher could supply malicious scripts that would then persist and execute any time a victim viewed an affected page.

This stored cross-site scripting attack means compromised contributors could inject harmful JavaScript, redirect users to phishing pages, steal login cookies, or conduct other damaging actions against site administrators and visitors. The vulnerability provides the initial foothold needed for takeovers, data theft, black hat SEO spam, cryptojacking, and beyond.

While patched in version 7.0.3, sites running older plugin versions remain vulnerable and must immediately update. Additionally, owners should check files for unauthorized edits and scan JavaScript for anything suspicious. If site compromise is suspected, we highly recommend reaching out for expert remediation assistance.

Unfortunately, this marks the 17th vulnerability found in Shortcodes Ultimate since May of 2015. The consistent security issues underscore why plugins with vast feature sets tend to accrue more bugs over time. While the developers respond well to disclosed flaws, users cannot always rely on prompt fixes, making proactive version updates non-negotiable.

For site owners without dedicated technical staff, the endless parade of plugin vulnerabilities proves extremely daunting. We fully understand how security falls through the cracks when one's priority is keeping a business running smoothly. However, attacks through outdated WordPress sites remain an all too common and damaging occurrence. We urge users not to ignore warnings even if the technical details feel overwhelming at first glance.

Don't tackle WordPress security alone - the consequences of a breach are too great. At Your WP Guy, our managed WordPress maintenance services include layers of protection like auto-updates, malware scanning, firewalls and 24/7 monitoring by WordPress experts. We become your outsourced IT team.

Let's chat about migrating your site to our managed hosting so you can finally stop worrying about security issues. We'll fully audit and lock down your site as part of onboarding. Call us at 678-995-5169 to keep your business safe online.

Shortcodes Ultimate Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via su_tooltip Shortcode – CVE-2024-1510 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment