| Plugin Name | Shortcodes Ultimate |
|---|---|
| Type of Vulnerability | Cross-Site Scripting (XSS) |
| CVE Number | CVE-2026-3885 |
| Urgency | Low |
| CVE Publish Date | 2026-04-15 |
| Source URL | CVE-2026-3885 |
Critical update: Stored XSS in Shortcodes Ultimate (≤ 7.4.9) — what WordPress admins must do now
Summary: A stored Cross‑Site Scripting (XSS) vulnerability exists in the su_box shortcode of Shortcodes Ultimate up to and including version 7.4.9. An authenticated user with Contributor privileges can store malicious payloads that execute when the content is rendered (including in admin previews). The plugin author released a fix in version 7.5.0. Update immediately.
Quick summary
- Vulnerability: Stored Cross‑Site Scripting in the su_box shortcode (Shortcodes Ultimate ≤ 7.4.9).
- Required privilege: Contributor (authenticated, non‑admin).
- Exploit complexity: A Contributor must insert crafted content; a privileged user or a visitor must render the stored content for execution.
- Impact: Arbitrary JavaScript execution in the victim’s browser — session theft, privilege escalation, defacement, redirects, or further payload delivery.
- CVE: CVE-2026-3885.
- Fix: Upgrade Shortcodes Ultimate to 7.5.0 or newer immediately.
What happened (plain language)
Shortcodes let authors insert dynamic elements into posts and pages. The su_box shortcode handler in affected versions emitted HTML that could include unsanitized attributes or content. A Contributor can store crafted input that contains executable JavaScript; when that content is later rendered (front‑end or admin preview), the browser executes the injected script. Because the payload is persistent in the database, it can affect any user who views the content.
Stored XSS is hazardous because stored payloads persist and can execute in contexts with elevated privileges (for example, when an editor or admin previews a post), increasing the potential damage.
Why this matters for your site
- Contributor accounts are common on multi‑author blogs, membership sites and editorial workflows — compromise or misuse of such accounts is an easy attack vector.
- Stored XSS can enable account takeover (cookie or token theft), administrative actions via CSRF-style flows, content defacement, and malware delivery.
- Even with a medium CVSS score, stored XSS scales well: one stored payload can affect many visitors or staff members.
Realistic attack scenarios
- Editorial sabotage: A contributor publishes a post using the su_box shortcode with a hidden malicious payload. An editor or admin previews the post in the dashboard; the script executes and steals session tokens or performs actions.
- Compromised contributor account: An attacker gains Contributor credentials and plants a persistent payload in posts, which later exposes visitors or staff.
- Social engineering: An attacker convinces an editor to open a preview or click a link that triggers the stored payload.
- Mass abuse: Attackers create multiple malicious entries (if shortcodes are allowed in comments or other editable fields) to increase reach.
Technical details (high level)
- Root cause: insufficient sanitization/escaping of user-provided data handled by su_box.
- Storage: Payloads are persisted in the WordPress database (post_content, postmeta, or similar serialized fields).
- Execution: When the shortcode is rendered (front-end or admin preview), the stored markup is emitted and the browser runs the script.
- Privilege required: Contributor — an unauthenticated visitor alone cannot place the payload, but compromised contributor accounts or relaxed role capabilities make this dangerous.
Indicators of compromise (IoC) — what to look for
If you suspect abuse, check for:
