Attack Vectors
Shortcoder — Create Shortcodes for Anything (slug: shortcoder) is affected by a Medium severity issue (CVSS 6.4) identified as CVE-2026-27074. This is an authenticated Stored Cross-Site Scripting (XSS) vulnerability impacting versions up to and including 6.5.1.
The primary attack path involves an attacker who already has legitimate access to your WordPress site with contributor-level permissions or higher. From there, they can inject malicious scripting into content created through the plugin’s functionality, causing that script to be stored in your site and run later when others view the affected page.
Because this is a stored issue, the harmful script can execute repeatedly—potentially affecting executives, marketing staff, finance, and compliance users who access compromised pages through normal business workflows (campaign reviews, content approvals, landing page checks, or reporting dashboards).
Security Weakness
CVE-2026-27074 stems from insufficient input sanitization and output escaping in Shortcoder — Create Shortcodes for Anything versions ≤ 6.5.1. In plain terms, the plugin does not adequately prevent potentially harmful script content from being saved and then displayed back to users in a way that the browser will execute.
The risk is heightened by the fact that it can be exploited by authenticated users with relatively common roles (Contributor+), which increases exposure in organizations that rely on multiple authors, agencies, contractors, or distributed teams to publish and manage web content.
Technical or Business Impacts
A stored XSS issue can translate quickly into business risk. If exploited, it may enable actions such as unauthorized changes initiated from a victim’s browser session, misuse of authenticated access, or interference with how pages display and behave—potentially impacting brand trust and conversion performance.
For marketing and leadership teams, the practical impacts can include disruption to campaign pages, altered calls-to-action, reputational damage if visitors encounter unexpected behavior, and increased operational burden for incident response and compliance review. The CVSS vector (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) signals that it can be triggered over the network with low complexity once an attacker has the required authenticated role, and it can affect data confidentiality and integrity.
Recommended action: Update Shortcoder — Create Shortcodes for Anything to version 6.5.2 or a newer patched release to remediate this issue. You can review the CVE record here: https://www.cve.org/CVERecord?id=CVE-2026-27074.
Similar Attacks
Stored cross-site scripting is a common pattern in real-world WordPress incidents because it can persist on a site and affect many users over time. For context, here are a few well-known examples:
CVE-2017-5487 (WordPress Core Stored XSS)
CVE-2018-6389 (WordPress-related DoS discussion; often cited in WordPress risk briefings)
Elementor Pro Persistent XSS analysis (Wordfence)
Recent Comments