Notes:

• Place this in wp-content/mu-plugins/ so it remains active regardless of active theme.
• This is a temporary emergency patch; remove it after the plugin vendor issues an official fix and you update.

2) Sanitize shortcode attributes on save

Apply a filter that sanitizes stored shortcode attributes when posts are saved:

add_filter( 'content_save_pre', function( $content ) {
    // Sanitize any listsearch shortcodes placeholder values
    return preg_replace_callback(
        '/\[listsearch([^\]]*)\]/i',
        function( $m ) {
            $attrs = $m[1];
            // Replace placeholder="... potentially dangerous ..." with a sanitized version
            $attrs = preg_replace_callback(
                '/placeholder=(["\'])(.*?)\1/i',
                function( $ma ) {
                    $val = wp_kses( $ma[2], array() );
                    $val = esc_attr( $val );
                    return 'placeholder="'. $val .'"';
                },
                $attrs
            );
            return '[listsearch' . $attrs . ']';
        },
        $content
    );
}, 10 );

3) Content Security Policy (CSP)

Apply a CSP header to reduce the damage of injected scripts (defense-in-depth). This can break inline scripts — test first.

Header set Content-Security-Policy "default-src 'self' https:; script-src 'self' https:; object-src 'none';"

4) Restrict editors and block types

Disallow Contributors from using the editor that allows shortcodes (Gutenberg block types or Classic Editor). Use block editor settings or capability controls to limit risky block types.

Example WAF rules (generic, product-agnostic)

If you operate a web application firewall or edge filter, add rules to block obvious payloads. Below are conceptual patterns — adapt to your engine's syntax and test to avoid false positives.

• Block requests to post submission endpoints containing script tags or encoded script tags:

  Pattern: <\s*script\b | javascript\s*:

• Block attempts to inject event handlers:

  Pattern: onmouseover=|onerror=|onclick=|onload=

• Shortcode attribute-specific rule — block suspicious placeholder content in post saves:

  \[listsearch[^\]]*placeholder\s*=\s*(['"]).*(<|%3C|javascript:|on\w+=).*?\1

• Rate-limit or require additional checks for requests that create posts as Contributor users.

Recommendation: log first, then block. Monitor for false positives and refine patterns accordingly.

Full incident response checklist (if you suspect compromise)

1. Contain
   • Deactivate the vulnerable plugin immediately.
   • Revoke elevated sessions for administrators: force password resets or expire sessions.
   • Temporarily reduce Contributor privileges or suspend suspicious accounts.
2. Preserve evidence
   • Snapshot the database and files (make read-only copies).
   • Export suspicious posts and plugin data for analysis.
3. Identify and eradicate
   • Scan the database for injected JS and remove instances.
   • Scan files for webshells or unauthorized modifications.
   • Check uploads and theme/plugin files for injected code.
   • Remove unauthorized users or roles identified during investigation.
4. Recover
   • Restore clean files from trusted backups if necessary.
   • Rotate credentials and API keys used by the site.
   • Update or replace the vulnerable plugin once a vendor patch is available.
5. Post-incident
   • Perform a full malware scan and consider a penetration test.
   • Document timeline, root cause, and remediation steps.
   • Implement protections: WAF rules, stricter user policies, and a regular patch schedule.

Developer guidance: how the plugin should have handled attributes

Best practices for plugin authors:

• Validate and sanitize attribute values on input if they are stored.
• Escape values on output using esc_attr(), esc_html(), esc_url(), or wp_kses() as appropriate.
• Avoid injecting untrusted data into HTML, JavaScript or CSS contexts without proper escaping.

Example of correct output escaping for an input placeholder:

$placeholder = isset( $atts['placeholder'] ) ? $atts['placeholder'] : '';
$placeholder = wp_kses( $placeholder, array() ); // strip tags
$value_attr  = esc_attr( $placeholder );
echo '';

Recommended policy changes for site owners and editors

• Limit the number of users with Contributor+ roles. Prefer workflows that do not allow raw HTML or complex shortcode insertion by untrusted users.
• Require moderation for content from untrusted contributors and avoid rendering their content on admin-facing pages without sanitization.
• Harden editorial workflows: add manual review for posts containing shortcodes and for first-time contributors.
• Enforce multi-factor authentication (MFA) for higher-privilege accounts to reduce the impact of credential theft.

Practical examples: finding and removing malicious placeholders

Quick CLI approach using WP-CLI (site root):

# Search for scripts in post content
wp db query "SELECT ID, post_title FROM wp_posts WHERE post_content LIKE '% /tmp/post-123-content.html

Manual cleanup:

• Edit the post in WP Admin as a high-privilege user and remove or sanitize the malicious shortcode.
• If uncertain, remove the entire shortcode instance.
• For heavily infected sites, consider restoring from a clean backup or engaging an experienced incident responder.

Frequently asked questions

Q: Should I immediately delete the plugin?
A: If the plugin is non-critical, deactivate/delete it immediately. If functionality is required, apply temporary mitigations (WAF rules or the safe wrapper mu-plugin) while awaiting an official patch.

Q: Will managed hosting malware scans detect this?
A: Many hosts detect obvious script injections, but stored XSS in shortcodes can be subtle. Proactively search for [listsearch ...] usage and check placeholder attributes.

Q: Does this affect my visitors?
A: Only if the injected output is visible to unauthenticated visitors. If the payload executes only in admin/editor views, it still poses an immediate risk to site control via privilege escalation.

Final recommendations (prioritized)

1. Deactivate the plugin or apply the safe wrapper mu-plugin now.
2. Search the database for malicious placeholders and scripts; remove infected content.
3. Harden contributor capabilities and editorial review processes.
4. Deploy WAF/edge rules to block obvious script injections and encoded equivalents.
5. Audit accounts and reset passwords for suspicious users; enforce MFA for high-privilege roles.
6. Backup evidence, monitor logs, and update the plugin when an official vendor patch is released.
7. Consider engaging a trusted security provider or managed service if you require hands-on remediation assistance.

If you need help implementing the temporary wrapper, WAF rules, or scanning for stored XSS, engage a qualified WordPress security professional familiar with incident response and forensic preservation. Immediate, careful action reduces the chance of escalation and broader compromise.