WP Shortcodes Plugin Vulnerability — Shortcodes Ultimate – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode – CVE-2024-3550 | WordPress Plugin Vulnerability Report

Plugin Name: WP Shortcodes Plugin — Shortcodes Ultimate

Key Information:

  • Software Type: Plugin
  • Software Slug: shortcodes-ultimate
  • Software Status: Active
  • Software Author: gn_themes
  • Software Downloads: 20,031,592
  • Active Installs: 600,000
  • Last Updated: May 13, 2024
  • Patched Versions: 7.1.3
  • Affected Versions: <= 7.1.2

Vulnerability Details:

  • Name: WP Shortcodes Plugin — Shortcodes Ultimate <= 7.1.2
  • Title: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
  • Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
  • CVE: CVE-2024-3550
  • CVSS Score: 6.4
  • Publicly Published: April 29, 2024
  • Researcher: stealthcopter
  • Description: The WP Shortcodes Plugin — Shortcodes Ultimate for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 7.1.2. This vulnerability arises due to insufficient input sanitization and output escaping on user-supplied attributes, allowing authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.


The WP Shortcodes Plugin — Shortcodes Ultimate for WordPress has a vulnerability in versions up to and including 7.1.2 that allows authenticated contributors to inject harmful scripts into web pages. This vulnerability has been patched in version 7.1.3.

Detailed Overview:

The vulnerability discovered in WP Shortcodes Plugin — Shortcodes Ultimate, specifically identified by researcher stealthcopter, presents a significant security risk. It involves stored cross-site scripting (XSS) that can be triggered via the plugin’s shortcodes. An attacker with at least contributor-level access can exploit this by injecting malicious scripts into content that is saved on the website. Whenever any user accesses the compromised page, the malicious script executes, potentially leading to data theft, session hijacking, and other security breaches. This issue was resolved in the latest patch, version 7.1.3, where proper sanitization and escaping mechanisms were introduced to prevent further exploitation.

Advice for Users:

  • Immediate Action: Update to version 7.1.3 immediately to close off the vulnerability.
  • Check for Signs of Vulnerability: Monitor your site for any unusual content alterations or suspicious scripts embedded within posts or pages that could indicate past exploitation.
  • Alternate Plugins: While the latest patch addresses the current vulnerability, consider evaluating other reputable shortcode plugins as alternatives for enhanced security measures.
  • Stay Updated: Consistently updating your WordPress plugins is crucial to protect against newly discovered vulnerabilities and ensure your site remains secure.


The swift action taken by the developers of the WP Shortcodes Plugin — Shortcodes Ultimate to address the security flaw highlights the ongoing challenges and the dynamic nature of web security. It is imperative for all users, particularly those managing or operating WordPress websites, to install updates promptly and remain vigilant against potential vulnerabilities. Ensuring that your website is running the patched version, 7.1.3 or later, is essential to maintain a secure and robust online presence.


Detailed Report: 

Securing Your Digital Front Door: The Urgent Need to Update WordPress Plugins

In the bustling world of online content management, WordPress plugins significantly enhance functionality and user experience. However, these plugins can also serve as potential entry points for cyber threats if not regularly updated. A recent vulnerability in the WP Shortcodes Plugin — Shortcodes Ultimate underscores the critical importance of keeping these tools current. As of April 2024, a severe security flaw identified as CVE-2024-3550 has put numerous sites at risk, allowing those with even contributor-level access to execute stored cross-site scripting (XSS) attacks.

About the Plugin and the Vulnerability:

WP Shortcodes Plugin — Shortcodes Ultimate, a staple on over 600,000 WordPress sites, is known for enhancing site functionality by allowing easy insertion of elements into pages and posts. Despite its popularity and broad usage, the plugin became a target for cyber-attacks due to a vulnerability in versions up to and including 7.1.2. The flaw, publicly disclosed on April 29, 2024, by researcher stealthcopter, involves insufficient sanitization and escaping of user inputs, making sites susceptible to stored XSS attacks where malicious scripts are injected into web pages.

Risks and Potential Impacts:

This vulnerability exposes websites to data theft, session hijacking, and unauthorized content manipulation. Stored XSS is particularly dangerous as the injected scripts can lie dormant until triggered by unsuspecting users, potentially compromising personal information and website integrity. Given the plugin’s extensive install base, the impact of this vulnerability is broad, affecting potentially thousands of websites and their users.

Vulnerability Remediation:

The immediate remediation step is to update the plugin to version 7.1.3, which patches the XSS vulnerability. Website administrators should also review their site for signs of compromise, including checking for unusual administrative activities or unexpected content changes. It’s crucial to regularly update all plugins, themes, and core WordPress installations to their latest versions to prevent similar vulnerabilities.

Overview of Previous Vulnerabilities:

Since its introduction, the WP Shortcodes Plugin — Shortcodes Ultimate has encountered 22 documented vulnerabilities since May 5, 2015. This history underscores the importance of continuous vigilance and the need for regular security reviews and updates.


For small business owners, the task of continuously monitoring and updating a WordPress website can seem daunting. However, the digital security of your business is as crucial as the locks on your doors. Neglecting it can lead to severe consequences. Implementing automated security solutions, such as managed WordPress hosting services or automated update plugins, can help keep your site secure without constant manual oversight. Remember, proactive security practices save time and resources in the long run by preventing breaches before they occur.

In a world where digital threats are constantly evolving, staying informed and prepared is your best defense. Ensure your website is safeguarded by keeping all components up to date and staying alert to new vulnerabilities.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

WP Shortcodes Plugin Vulnerability — Shortcodes Ultimate – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode – CVE-2024-3550 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment