WP Shortcodes Plugin Vulnerability— Shortcodes Ultimate – Authenticated Stored Cross-Site Scripting via shortcode – CVE-2024-0792 |WordPress Plugin Vulnerability Report 

Plugin Name: WP Shortcodes Plugin — Shortcodes Ultimate

Key Information:

  • Software Type: Plugin
  • Software Slug: shortcodes-ultimate
  • Software Status: Active
  • Software Author: gn_themes
  • Software Downloads: 18,460,707
  • Active Installs: 600,000
  • Last Updated: February 12, 2024
  • Patched Versions: 7.0.2
  • Affected Versions: <= 7.0.1

Vulnerability Details:

  • Name: WP Shortcodes Plugin — Shortcodes Ultimate <= 7.0.1
  • Title: Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode
  • Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
  • CVE: CVE-2024-0792
  • CVSS Score: 6.4
  • Publicly Published: February 7, 2024
  • Researcher: Webbernaut
  • Description: The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) in all versions up to and including 7.0.1. This vulnerability arises from insufficient input sanitization and output escaping, particularly in RSS feed content, enabling authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These scripts can execute malicious actions whenever a user accesses an injected page, compromising site security and user safety.


The WP Shortcodes Plugin — Shortcodes Ultimate for WordPress contains a vulnerability in versions up to and including 7.0.1, which allows attackers with at least contributor-level permissions to perform Stored Cross-Site Scripting (XSS) attacks via the plugin's shortcodes. This security flaw has been addressed in the recently released patch, version 7.0.2.

Detailed Overview:

This vulnerability, identified by researcher Webbernaut, poses a significant risk to websites using vulnerable versions of the Shortcodes Ultimate plugin. Stored XSS attacks enable attackers to embed malicious scripts into web pages, which can then execute in the browsers of unsuspecting users. This can lead to a range of exploits, from stealing user session data to defacing websites. The issue was primarily due to the plugin's failure to adequately sanitize user inputs and escape outputs, particularly within RSS feed content that utilizes the plugin's shortcodes. The remediation of this vulnerability involved enhancing the plugin's input sanitization and output escaping mechanisms, thereby preventing attackers from injecting harmful scripts.

Advice for Users:

Immediate Action: It is crucial for users of the WP Shortcodes Plugin — Shortcodes Ultimate to update to the patched version, 7.0.2, without delay to mitigate the risks associated with this vulnerability.

Check for Signs of Vulnerability: Users should review their site for any unusual content modifications or suspicious scripts, especially in pages that use shortcodes. Monitoring website activity logs for unexpected actions can also help in identifying potential exploits.

Alternate Plugins: While the vulnerability has been patched, considering alternative plugins with similar functionality might be wise until confidence in the security of the Shortcodes Ultimate plugin is fully restored.

Stay Updated: Keeping plugins updated is a cornerstone of website security. Regularly checking for updates and applying them promptly ensures protection against known vulnerabilities.


The swift resolution of the Stored XSS vulnerability in the WP Shortcodes Plugin — Shortcodes Ultimate by the development team highlights the ongoing need for vigilance in software maintenance and updates. Website administrators and users are urged to update to version 7.0.2 or later to secure their WordPress installations against this and potentially other vulnerabilities.


In the vast expanse of the digital world, the security of your website stands as a beacon of trust and reliability for your visitors. The recent discovery of a vulnerability in the widely utilized WP Shortcodes Plugin — Shortcodes Ultimate has cast a spotlight on the critical need for vigilance and regular maintenance in safeguarding your digital presence. Identified as CVE-2024-0792, this vulnerability not only underscores the inherent risks in digital tools but also serves as a clarion call to website owners about the importance of proactive security measures.

WP Shortcodes Plugin — Shortcodes Ultimate: A Tool of Convenience

The WP Shortcodes Plugin — Shortcodes Ultimate, crafted by gn_themes, is a cornerstone for enhancing WordPress site functionality. With over 18 million downloads and 600,000 active installs, its role in enriching site content with diverse shortcodes is undeniable. Yet, beneath its utility, the shadow of vulnerability looms.

Unveiling the Vulnerability: CVE-2024-0792

CVE-2024-0792 exposes a chink in the plugin's armor — a Stored Cross-Site Scripting (XSS) flaw that arises from insufficient input sanitization and output escaping. This gap allows attackers with contributor-level access to embed harmful scripts in web pages, which could execute unauthorized actions on behalf of unsuspecting users. The implications are vast, ranging from data theft to unwarranted content manipulation.

The Risks and Impacts at Stake

The potential fallout from this vulnerability is not to be underestimated. For small business owners, the integrity of your website is synonymous with your brand's credibility. An exploited vulnerability can erode customer trust, tarnish your brand image, and even invite legal repercussions. In an era where data is king, safeguarding your users' information is not just a technical necessity but a moral obligation.

Path to Remediation: Safeguarding Your Digital Domain

The beacon of hope in this scenario is the availability of a patch — version 7.0.2 of the plugin — designed to fortify your defenses against this vulnerability. Updating to this version is an immediate and crucial step. However, the journey doesn't end here. Regularly monitoring for updates, understanding the security landscape of the plugins you use, and employing best practices in website maintenance are pivotal.

Learning from the Past: A History of Vulnerabilities

With 16 vulnerabilities reported since May 2015, the WP Shortcodes Plugin — Shortcodes Ultimate's history serves as a stark reminder of the ongoing battle against cyber threats. Each vulnerability, while addressed, reinforces the lesson that digital security is an ever-evolving challenge, demanding constant vigilance and adaptation.

The Imperative of Proactive Security

For small business owners juggling myriad responsibilities, the digital realm's complexities may seem daunting. Yet, the importance of staying abreast of security vulnerabilities cannot be overstated. The digital integrity of your business is a linchpin of your success in the online marketplace. Leveraging resources such as managed WordPress hosting services, security plugins, and professional audits can alleviate the burden, enabling you to focus on your core business while ensuring your digital storefront remains secure and inviting.

In conclusion, the revelation of the CVE-2024-0792 vulnerability in the WP Shortcodes Plugin — Shortcodes Ultimate is a potent reminder of the ever-present need for vigilance in the digital age. For small business owners, embracing a proactive stance towards website security is not just a technical necessity but a fundamental aspect of maintaining your business's credibility and trustworthiness in the eyes of your customers. In the fast-paced world of online business, staying one step ahead in security is not just beneficial; it's imperative.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.


WP Shortcodes Plugin Vulnerability— Shortcodes Ultimate – Authenticated Stored Cross-Site Scripting via shortcode – CVE-2024-0792 |WordPress Plugin Vulnerability Report FAQs

Leave a Comment