Question 1

What exactly is vulnerable in Shortcodes Ultimate?

Accepted Answer

What exactly is vulnerable in Shortcodes Ultimate?

The su_tooltip shortcode contained in versions 7.0.2 and earlier of the Shortcodes Ultimate plugin has an authenticated stored cross-site scripting (XSS) vulnerability. This shortcode displays text in a popup tooltip when users hover over content. Due to insufficient validation of attributes and tags, the shortcode allows contributors and authors to inject malicious scripts that get stored and execute whenever a affected page loads.

Question 2

How serious is this vulnerability?

Accepted Answer

How serious is this vulnerability?

With a CVSS severity score of 6.4 out of 10, this vulnerability is considered medium severity but enables serious impacts such as full site takeovers, data theft, UI redressing for phishing, cryptojacking, and other attacks. The storage element means malicious scripts persist on pages. And while authentication is required, contributors are commonplace making exploitation likely against unaware victims.

Question 3

Could this vulnerability negatively impact my site?

Accepted Answer

Could this vulnerability negatively impact my site?

Yes, if your site runs an affected version of Shortcodes Ultimate, you are at risk. The vulnerability provides an initial point of compromise for attackers to leverage in staging further attacks that could deface your site, steal login credentials and sensitive data from administrators and visitors, spam search engines with bad links to harm SEO, and otherwise damage user trust or lead to legal and regulatory problems in cases of data breaches.

Question 4

How do I know if my site is vulnerable or has been compromised?

Accepted Answer

How do I know if my site is vulnerable or has been compromised?

Your site is vulnerable if running any Shortcodes Ultimate version up to and including 7.0.2. Update to 7.0.3 immediately. To check for compromise, look for unauthorized edits in files and databases, scan JavaScript for obfuscated or outright malicious looking code, and watch for sudden redirections or UI/UX changes unexplained by updates. If still unsure, professionals can conduct compromise assessments and carefully inspect everything.

Question 5

Should I just delete Shortcodes Ultimate and find an alternative?

Accepted Answer

Should I just delete Shortcodes Ultimate and find an alternative?

Uninstalling the plugin prevents continued vulnerability exposure, but does not remove existing malicious code if already attacked, hence why compromise checks remain vital. Alternate shortcode plugins avoid this flaw but may harbor other bugs, making staying updated imperative no matter the replacement. For site integrity reasons, professional cleanup of malicious remnants often proves wise before installing anything new.

Question 6

What if I need Shortcodes Ultimate for my business site to function?

Accepted Answer

What if I need Shortcodes Ultimate for my business site to function?

Understandable if you rely on custom shortcode features, especially with intricate site integration. In this case, updating to Shortcodes Ultimate 7.0.3 or higher will fully patch the vulnerability without losing functionality or triggering extensive regressions. We still advise compromise checks as attacking the flaw pre-patch remains possible. For peace of mind, additional hardening of WordPress permissions, folders, error reporting and more can further boost security.

Question 7

How do I actually update Shortcodes Ultimate properly?

Accepted Answer

How do I actually update Shortcodes Ultimate properly?

Log into your WP dashboard, click "Plugins" on the left, click "Update" next to Shortcodes Ultimate, then click the minor version update likely prefixed with "Bug fixes and enhancements". Disable, test on a staging copy if possible, clear caches, check nothing breaks. Updating securely may require tweaking file/folder permissions after. If issues arise, experts can assist smooth, proper, restoration focused updates.

Question 8

I updated but the vulnerable version remains active, why?

Accepted Answer

I updated but the vulnerable version remains active, why?

Sometimes plugin updates incorrectly leave old buggy copies active instead truly updating. Check the active plugin version shown matches the newest fixed release. If wrong, fully deleting Shortcodes Ultimate then reinstalling the latest files usually resolves this quirk. Conservative types might backup files beforehand. Refreshing dashboard and browser cache also helps. Still stuck? professionals can investigate and remove lingering vulnerable versions.

Question 9

My site was hacked through this flaw already, what now?

Accepted Answer

My site was hacked through this flaw already, what now?

Immediately take the compromised site offline by renaming wp-config.php. Backup all files and databases safely for later inspection. Next secure clean reinstalls of WordPress core, themes and trusted plugins on a freshly setup web space. Update Shortcodes Ultimate on this secured copy last. Restore sanitized production content. Inspect backups to determine attack scope for disclosure duties if regulated. Experts aid safe restoration, vulnerability checks, removal of backdoors, providing legal/PR advice.

Question 10

How can I prevent this from happening again in the future?

Accepted Answer

How can I prevent this from happening again in the future?

Beyond updating Shortcodes Ultimate, broadly strengthen WordPress security by enabling strong passwords, automatic background updates for core and plugins, restrictive file permissions on directories, disable file editing capabilities and error information leakage. Run trustworthy security plugins like Wordfence to continually check files. Contract reputable developers to implement application security standards and audit the entire architecture. Signup for monitoring services alerting you to vulnerabilities and attacks as they arise.

Website Maintenance

Shortcodes Ultimate Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via su_tooltip Shortcode – CVE-2024-1510 | WordPress Plugin Vulnerability Report

Ocean Extra Vulnerability- Authenticated (Contributor+) Stored Cross-Site Scripting – CVE-2024-1277 | WordPress Plugin Vulnerability Report

Best WordPress Gallery Plugin Vulnerability– FooGallery – Authenticated(Administrator+) Stored Cross-Site Scripting via Settings – CVE-2024-0604 | WordPress Plugin Vulnerability Report

Email Encoder Vulnerability– Protect Email Addresses and Phone Numbers – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode – CVE-2024-1282 |WordPress Plugin Vulnerability Report

Happy Addons for Elementor Vulnerability- Authenticated (Contributor+) Stored Cross-Site Scripting – CVE-2024-0438 |WordPress Plugin Vulnerability Report

Bold Page Builder Vulnerability- Authenticated (Contributor+) Stored Cross-Site Scripting via Icon Link – CVE-2024-1160 |WordPress Plugin Vulnerability Report

WP Booking Calendar Vulnerability- Unauthenticated SQL Injection – CVE-2024-1207 | WordPress Plugin Vulnerability Report

WP Recipe Maker Vulnerability- Missing Authorization to Authenticated SQL Injection – CVE-2024-1206 |WordPress Plugin Vulnerability Report

WP Shortcodes Plugin Vulnerability— Shortcodes Ultimate – Authenticated Stored Cross-Site Scripting via shortcode – CVE-2024-0792 |WordPress Plugin Vulnerability Report

AMP for WP Vulnerability– Accelerated Mobile Pages – Authenticated Arbitrary Post Deletion via amppb_remove_saved_layout_data – CVE-2024-1043 |WordPress Plugin Vulnerability Report

Recent Blog Posts

WordPress 500 Internal Server Error: What It Means and How to Fix It

Yoast SEO – Advanced SEO with real-time guidance and built-in AI Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘jsonText’ Block Attribute – CVE-2026-3427 | WordPress Plugin Vulnerability Report

The Events Calendar Vulnerability – Missing Authorization to Authenticated (Subscriber+) Data Migration Control – CVE-2025-15043 | WordPress Plugin Vulnerability Report

Additional Resources

About Your WP Guy