WWordPress Vulnerability Database

Shortcode XSS Warning for Hong Kong Websites(CVE202412166)

Cross Site Scripting (XSS) in WordPress Shortcodes Blocks Creator Ultimate Plugin
0
Shares
0
0
0
0






Urgent: Reflected XSS in ‘Shortcodes Blocks Creator Ultimate’ (<= 2.2.0) — What WordPress Site Owners Need to Know


Plugin Name Shortcodes Blocks Creator Ultimate
Type of Vulnerability XSS
CVE Number CVE-2024-12166
Urgency Medium
CVE Publish Date 2026-03-24
Source URL CVE-2024-12166

Urgent: Reflected XSS in ‘Shortcodes Blocks Creator Ultimate’ (<= 2.2.0) — What WordPress Site Owners Need to Know

Author: Hong Kong Security Expert • Date: 2026-03-24 • Tags: WordPress, Security, XSS, Vulnerability
A reflected Cross‑Site Scripting (XSS) vulnerability (CVE‑2024‑12166) has been reported in Shortcodes Blocks Creator Ultimate (versions ≤ 2.2.0). This advisory explains the risk, how the issue works at a technical (non‑exploitative) level, immediate mitigations, detection steps, and longer‑term hardening. Treat this as urgent if you run affected sites.

TL;DR

Short summary: a reflected XSS (CVE‑2024‑12166) affects Shortcodes Blocks Creator Ultimate ≤ 2.2.0. Although the CVSS rating listed is medium (7.1), reflected XSS can be leveraged at scale through phishing or crafted links. The attack vector is the page query parameter; exploitation requires the victim to visit a malicious URL but does not require the attacker to be authenticated.

  • Identify whether the plugin is installed and the version.
  • Update if a vendor patch becomes available. If not, consider removing or deactivating the plugin until a fix is provided.
  • Apply mitigations: restrict access to plugin UI, deploy WAF rules to filter dangerous page values, scan and monitor logs, and review activity for signs of compromise.

What is the issue?

Shortcodes Blocks Creator Ultimate (≤ 2.2.0) reflects the value of a page query parameter into HTML output without sufficient server‑side validation or output encoding. An attacker can craft a URL containing malicious input in that parameter. If a victim — particularly someone with administrative privileges — visits the URL, the browser may execute injected JavaScript, leading to session theft, unauthorized actions, or further payload delivery.

Key facts

  • Affected plugin: Shortcodes Blocks Creator Ultimate
  • Vulnerable versions: ≤ 2.2.0
  • Vulnerability class: Reflected Cross‑Site Scripting (XSS)
  • CVE: CVE‑2024‑12166
  • Privilege required: None (attack vector is unauthenticated, but victim interaction is required)
  • CVSS: 7.1 (Medium)
  • Mitigation status: No vendor patch available for affected versions at time of publication

Why reflected XSS matters for WordPress sites

From a Hong Kong practitioner’s perspective: WordPress sites often have multiple users with elevated privileges. A reflected XSS that reaches an admin can have outsized impact compared with the CVSS number alone. Attackers commonly use social engineering to direct victims to crafted URLs; the combination of mass phishing and widely deployed plugins means this vulnerability can be an effective initial vector.

How the vulnerability works (high level, non‑exploitative)

  1. The plugin reads a page GET parameter from the request.
  2. The value is inserted into HTML output without sufficient escaping or encoding.
  3. If the value contains markup or JavaScript contexts, the browser may execute it when rendering the response — this is reflected XSS.
  4. Because the data is reflected (not stored), exploitation normally requires convincing a user to open a crafted link.

Practical danger: If an admin opens a crafted link, attackers can attempt to perform actions in the admin interface, steal session tokens, install backdoors, or pivot to persistent compromise.

Immediate actions for site owners (within hours)

Priority actions you should take now:

1. Inventory and version check

  • Log into WordPress and confirm whether Shortcodes Blocks Creator Ultimate is installed and note the version.
  • If you manage multiple sites, use your management tooling to enumerate plugin versions across sites.

2. If you run a vulnerable version (≤ 2.2.0)

  • Deactivate or remove the plugin if its functionality is not essential.
  • If the plugin is essential and no patch is available, block access to the plugin’s admin pages (by IP or server rules) until a fix is released.
  • If you cannot disable the plugin immediately, apply targeted input filtering at the web server or WAF layer to mitigate malicious page values.

Deploy rules to inspect and normalize the page parameter and similar inputs. Block or sanitize requests that contain common XSS indicators: script tags, javascript: URIs, suspicious encodings and HTML event attributes. Keep rules tuned to avoid excessive false positives.

4. Scan and monitor for indicators

  • Run malware scans across site files and the database.
  • Search access logs for requests containing page= with suspicious characters or long encoded sequences.
  • Review WordPress audit logs for unexpected admin activity, new users, or configuration changes.

5. Notify stakeholders

  • Inform admins, editors and your hosting provider. Advise them not to click unexpected links with page= parameters from unknown sources.
  • Coordinate a remediation timeline if the site is managed by a third party.

Suggested WAF rules (safe, non‑specific)

Types of rules to consider — tune carefully and monitor for false positives:

  • Block/sanitize requests where page contains raw