VulnTitan VulnTitan Security command center
Plugin Vulnerability Hub
Plugin 33 known issues Latest disclosed Mar 31, 2026

WP Shortcodes Plugin — Shortcodes Ultimate Vulnerabilities

Review known vulnerability records for the WordPress plugin WP Shortcodes Plugin — Shortcodes Ultimate (`shortcodes-ultimate`), including severity, CVE references, affected versions, and patch status.

View on WordPress.org Back to Feed
Known Records
33
High or Critical
3
Linked CVEs
31
Last Updated
Mar 31, 2026
Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for WP Shortcodes Plugin — Shortcodes Ultimate so operators can quickly confirm whether a disclosed issue maps to the installed slug and version range.

Patch Visibility
33 records include a published patch path.
Severity Mix
0 critical and 3 high severity findings.
Reference Workflow
Jump from the hub into the full report when you need remediation notes, CVSS vector details, or source references.
Known Vulnerabilities

Reports for WP Shortcodes Plugin — Shortcodes Ultimate

Sorted by latest disclosure date so newly published issues surface first.

Plugin Medium Patched: Yes CVE-2026-2480
WP Shortcodes Plugin — Shortcodes Ultimate <= 7.4.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'max_width' Shortcode Attribute

The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'max_width' attribute of the `su_box` shortcode in all versions up to, and including, 7.4.10 due to insufficient input sanitization and output escaping on user...

Published
Mar 31, 2026
Patched Release
7.5.0
Affected Versions
Versions up to 7.4.10
Next Step
Update to 7.5.0 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-12800
WP Shortcodes Plugin — Shortcodes Ultimate <= 7.4.5 - Authenticated (Administrator+) Server-Side Request Forgery

The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.4.5 via the su_shortcode_csv_table function. This makes it possible for authenticated attackers, with Administrator-level acces...

Published
Nov 23, 2025
Patched Release
7.4.6
Affected Versions
Versions up to 7.4.5
Next Step
Update to 7.4.6 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-8015
Shortcodes Ultimate <= 7.4.2 - Authenticated (Author+) Stored Cross-Site Scripting via Image Title and Slide Link

The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an uploaded image's 'Title' and 'Slide link' fields in all versions up to, and including, 7.4.2 due to insufficient input sanitization and output escaping. This ma...

Published
Jul 21, 2025
Patched Release
7.4.3
Affected Versions
Versions up to 7.4.2
Next Step
Update to 7.4.3 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-7354
WP Shortcodes Plugin — Shortcodes Ultimate <= 7.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Plugin Shortcodes

The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 7.4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This ma...

Published
Jul 20, 2025
Patched Release
7.4.3
Affected Versions
Versions up to 7.4.2
Next Step
Update to 7.4.3 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-7369
Shortcodes Ultimate <= 7.4.2 - Cross-Site Request Forgery to Arbitrary Shortcode Execution

The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 7.4.2. This is due to missing or incorrect nonce validation on the preview function. This makes it possible for unauthenticated at...

Published
Jul 20, 2025
Patched Release
7.4.3
Affected Versions
Versions up to 7.4.2
Next Step
Update to 7.4.3 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-5567
Shortcodes Ultimate <= 7.4.0 - Authenticted (Contributor+) Stored Cross-Site Scripting via 'data-url' Attribute

The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'data-url' DOM element attribute in all versions up to, and including, 7.4.0 due to insufficient input sanitization and output escaping. This makes it possible...

Published
Jul 03, 2025
Patched Release
7.4.1
Affected Versions
Versions up to 7.4.0
Next Step
Update to 7.4.1 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-49244
Shortcodes Ultimate <= 7.3.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 7.3.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and abov...

Published
Jun 05, 2025
Patched Release
7.4.0
Affected Versions
Versions up to 7.3.5
Next Step
Update to 7.4.0 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-0370
WP Shortcodes Plugin — Shortcodes Ultimate <= 7.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via src Parameter

The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘src’ parameter in all versions up to, and including, 7.3.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticate...

Published
Mar 03, 2025
Patched Release
7.3.4
Affected Versions
Versions up to 7.3.3
Next Step
Update to 7.3.4 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-8500
WP Shortcodes Plugin — Shortcodes Ultimate <= 7.2.2 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting

The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the several parameters in all versions up to, and including, 7.2.2 due to insufficient input sanitization and output escaping. This makes it possible for authentic...

Published
Oct 22, 2024
Patched Release
7.3.0
Affected Versions
Versions up to 7.2.2
Next Step
Update to 7.3.0 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-4821
WP Shortcodes Plugin — Shortcodes Ultimate <= 7.1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via su_lightbox Shortcode

The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's su_lightbox shortcode in all versions up to, and including, 7.1.6 due to insufficient input sanitization and output escaping on user supplied attribut...

Published
Jun 04, 2024
Patched Release
7.1.7
Affected Versions
Versions up to 7.1.6
Next Step
Update to 7.1.7 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-4553
WP Shortcodes Plugin — Shortcodes Ultimate <= 7.1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via su_members Shortcode

The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'su_members' shortcode in all versions up to, and including, 7.1.5 due to insufficient input sanitization and output escaping on user supplied 'color'...

Published
May 20, 2024
Patched Release
7.1.6
Affected Versions
Versions up to 7.1.5
Next Step
Update to 7.1.6 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-3550
WP Shortcodes Plugin — Shortcodes Ultimate <= 7.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 7.1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This...

Published
Apr 29, 2024
Patched Release
7.1.3
Affected Versions
Versions up to 7.1.2
Next Step
Update to 7.1.3 or newer if supported.
Open Full Report Open CVE Reference