Attack Vectors

The WP Shortcodes Plugin — Shortcodes Ultimate (slug: shortcodes-ultimate) vulnerability (CVE-2026-3885, Medium severity, CVSS 6.4) is exploitable by an authenticated WordPress user with Contributor-level access or higher. The attacker can abuse the plugin’s su_box shortcode by placing malicious script content into user-supplied shortcode attributes.

Because this is a stored cross-site scripting (XSS) issue, the injected content is saved in your site content and can execute whenever a victim visits the affected page or post. In practical terms, this can be triggered through normal editorial workflows—anywhere Contributors can draft or publish content that includes the su_box shortcode.

Security Weakness

Shortcodes Ultimate versions up to and including 7.4.9 are affected due to insufficient input sanitization and output escaping of user-supplied attributes in the su_box shortcode. This means the plugin does not consistently neutralize potentially dangerous characters or code before saving content or rendering it to visitors.

This is a common class of content-layer risk: the site behaves normally, but hidden payloads can be stored inside seemingly legitimate page elements and then executed in a visitor’s browser.

Technical or Business Impacts

If exploited, stored XSS can lead to account compromise (including administrators), unauthorized changes to site content, and data exposure within the victim’s browser session. While the vulnerability requires a logged-in user with at least Contributor permissions, that is still a realistic threat path for organizations with multiple authors, agencies, contractors, or community contributors.

From a business perspective, impacts can include brand damage (defaced pages or malicious redirects), loss of customer trust, disruption to campaigns and landing pages, and compliance concerns if user data is exposed or tracking scripts are altered. Because the CVSS vector indicates a changed scope (S:C), the issue can have broader effects than a single page—especially if an admin views the injected content and their session is leveraged.

Remediation: Update WP Shortcodes Plugin — Shortcodes Ultimate to version 7.5.0 or newer patched version. As a governance best practice, also review who has Contributor access, monitor recent content changes for unexpected shortcode usage, and ensure your incident response plan covers web content integrity.

Reference: CVE-2026-3885 | Wordfence advisory source