WP Shortcodes Plugin Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting – CVE-2023-6488 | WordPress Plugin Vulnerability Report

Plugin Name: WP Shortcodes Plugin

Key Information:

  • Software Type: Plugin
  • Software Slug: shortcodes-ultimate
  • Software Status: Active
  • Software Author: gn_themes
  • Software Downloads: 18,131,157
  • Active Installs: 600,000
  • Last Updated: December 18, 2023
  • Patched Versions: <= 7.0.0
  • Affected Versions: 7.0.1

Vulnerability Details:

  • Name: WP Shortcodes Plugin — Shortcodes Ultimate <= 7.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
  • Title: Authenticated (Contributor+) Stored Cross-Site Scripting
  • Type: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • CVE: CVE-2023-6488
  • CVSS Score: 5.4 (Medium)
  • Publicly Published: December 18, 2023
  • Researcher: Webbernaut
  • Description: The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'su_button', 'su_members', and 'su_tabs' shortcodes in all versions up to, and including, 7.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.


The WP Shortcodes Plugin for WordPress has a vulnerability in versions up to and including 7.0.1 that allows for authenticated stored cross-site scripting by users with contributor-level access or higher. This vulnerability has been patched in version 7.0.2.

Detailed Overview:

The vulnerability arises due to insufficient sanitization of user input and output escaping in the 'su_button', 'su_members', and 'su_tabs' shortcodes provided by the plugin. By injecting malicious scripts into the shortcode attributes, an attacker can store scripts that will execute whenever a user views a page containing the injected shortcode. This exposes users to potential phishing, session hijacking, or other browser-based attacks.

Advice for Users:

  1. Immediate Action: Update to version 7.0.2 or higher to patch this vulnerability.
  2. Check for Signs of Vulnerability: Review pages and posts for unexpected shortcodes that could contain malicious scripts. Also monitor site traffic and user behavior for signs of compromise.
  3. Alternate Plugins: Consider using alternate shortcode plugins like Shortcoder as a precaution until more is known about this vulnerability.
  4. Stay Updated: Ensure all WordPress plugins are kept updated to the latest versions to get timely security patches.


The quick response from the developers to patch this stored XSS vulnerability shows their commitment to user security. Users are strongly advised to update as soon as possible to Shortcodes Ultimate version 7.0.2 or higher.




Detailed Report:

Keeping your WordPress website and its plugins up-to-date is critical for security. Unfortunately, too often vulnerabilities arise that put sites at risk until patches are made available. This is the case with a recently disclosed stored cross-site scripting (XSS) vulnerability affecting the popular WP Shortcodes Plugin, used on over 600,000 sites.

By exploiting this vulnerability, attackers could inject malicious code into sites running affected versions of the plugin, exposing site visitors to potential phishing attacks, credential theft, and other threats. If you use this plugin, updating to version 7.0.2 or higher will safeguard your site. Even if you don’t use this specific plugin, the issue highlights the ongoing importance of prompt security updates for all sites.

The WP Shortcodes Plugin provides various shortcodes for adding styled elements, tabs, slideshows, and other functionality through a simple shortcode system. It’s been downloaded over 18 million times and has an estimated 600,000 active installs.

The developers recently patched a vulnerability that allowed authenticated users with “contributor” permissions or higher to inject arbitrary JavaScript or HTML into shortcodes that would then execute for any visitor to the site. By targeting shortcodes like su_button, su_members, and su_tabs, attackers could potentially carry out phishing attacks, steal login credentials, or compromise site visitors in other ways if they viewed pages with the injected shortcodes.

This vulnerability put sites at serious risk until developers issued a patch in version 7.0.2. All sites running Shortcodes Ultimate 7.0.1 or earlier are urged to update immediately to close this vulnerability. Additionally, sites should be checked for any unauthorized shortcodes that may have been injected while the site was vulnerable.

Security vulnerabilities like this one demonstrate the importance of having WordPress experts regularly monitor, maintain and update your site. At Your WP Guy, we offer ongoing management to handle updates, security monitoring, backups, uptime and support so you can stop worrying and get back to growing your business.

Let us fully audit your site to check for any signs of this vulnerability or other issues. We'll immediately update any out-of-date plugins and harden your site's security. Chat with us anytime during business hours, schedule a call or call 678-995-5169 to lock down your online presence.

WP Shortcodes Plugin Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting – CVE-2023-6488 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment