{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0737", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-08T16:20:21.978Z", "datePublished": "2026-04-04T07:41:58.926Z", "dateUpdated": "2026-04-08T16:57:07.456Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:57:07.456Z"}, "affected": [{"vendor": "gn_themes", "product": "WP Shortcodes Plugin \u2014 Shortcodes Ultimate", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "7.4.7", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WP Shortcodes Plugin - Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 7.4.7. This is due to insufficient input sanitization and output escaping in the 'src' attribute of the su_lightbox shortcode. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Shortcodes Ultimate <= 7.4.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'su_lightbox' Shortcode", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/62a9c9f4-ace4-4029-a720-5ea077e98be4?source=cve"}, {"url": "https://research.cleantalk.org/cve-2026-0737/"}, {"url": "https://plugins.trac.wordpress.org/browser/shortcodes-ultimate/tags/7.4.8/includes/shortcodes/lightbox.php?marks=69#L69"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Dmitrii Ignatyev"}], "timeline": [{"time": "2025-12-30T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2026-01-08T16:42:16.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-03T19:32:59.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0737", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-06T17:51:36.827396Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T18:02:55.393Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0737", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-06T17:51:36.827396Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T18:00:22.183Z"}}], "cna": {"title": "Shortcodes Ultimate <= 7.4.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'su_lightbox' Shortcode", "credits": [{"lang": "en", "type": "finder", "value": "Dmitrii Ignatyev"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "gn_themes", "product": "WP Shortcodes Plugin \u2014 Shortcodes Ultimate", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "7.4.7"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-30T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2026-01-08T16:42:16.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-04-03T19:32:59.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/62a9c9f4-ace4-4029-a720-5ea077e98be4?source=cve"}, {"url": "https://research.cleantalk.org/cve-2026-0737/"}, {"url": "https://plugins.trac.wordpress.org/browser/shortcodes-ultimate/tags/7.4.8/includes/shortcodes/lightbox.php?marks=69#L69"}], "descriptions": [{"lang": "en", "value": "The WP Shortcodes Plugin - Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 7.4.7. This is due to insufficient input sanitization and output escaping in the 'src' attribute of the su_lightbox shortcode. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:57:07.456Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0737", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:57:07.456Z", "dateReserved": "2026-01-08T16:20:21.978Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-04T07:41:58.926Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WP Shortcodes Plugin - Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 7.4.7. This is due to insufficient input sanitization and output escaping in the 'src' attribute of the su_lightbox shortcode. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2026-0737", "lastModified": "2026-04-24T18:13:28.877", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-04T08:16:06.047", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/shortcodes-ultimate/tags/7.4.8/includes/shortcodes/lightbox.php?marks=69#L69"}, {"source": "security@wordfence.com", "url": "https://research.cleantalk.org/cve-2026-0737/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/62a9c9f4-ace4-4029-a720-5ea077e98be4?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,7.4.7]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "WP Shortcodes Plugin \u2014 Shortcodes Ultimate", "source": "cna", "vendor": "gn_themes"}, "product": "wp_shortcodes_plugin_\u2014_shortcodes_ultimate", "vendor": "gn_themes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-04T11:51:04.255087+00:00", "value": {"mitigation_remediation": ["Upgrade the Shortcodes Ultimate plugin to version 7.4.8 or later", "If an upgrade is not immediately possible, remove or disable the su_lightbox shortcode from existing content", "Restrict contributor and higher role permissions so that only trusted users can add lightbox shortcodes until the plugin is updated", "Monitor site activity for unexpected JavaScript usage and scan posts/pages for injected code"], "summary": {"action": "Patch", "impact": "Stored cross\u2011site scripting that allows authenticated users with contributor or higher access to inject and execute arbitrary scripts on site pages"}, "threat_synthesis": {"affected_systems": "All WordPress installations that use the WP Shortcodes Plugin \u2013 Shortcodes Ultimate and have a version of 7.4.7 or earlier are affected. The official fix was delivered in version 7.4.8, which removes the vulnerability.", "description_and_impact": "The vulnerability arises from insufficient sanitization of the src attribute in the su_lightbox shortcode of the Shortcodes Ultimate plugin. An authenticated contributor or higher can store malicious JavaScript within that attribute, which in turn is rendered on pages viewed by other users. The stored code runs in every visitor\u2019s browser, enabling attacks such as session hijacking, defacement, or other client\u2011side exploits.", "risk_and_exploitability": "The CVSS score of 6.4 reflects moderate severity. Because an attacker must first obtain authenticated access at the contributor level or higher, the risk is confined to sites where such roles are granted. Exploit probability data is currently unavailable, and the vulnerability is not listed in the known exploited vulnerabilities catalog. Once the required privileges are attained, the stored script can be delivered to any user viewing the affected page, posing a significant threat to confidentiality, integrity, and user trust."}}}}, "created": "2026-04-06T20:27:39.550217+00:00", "updated": "2026-04-06T22:20:58.734891+00:00", "vendors": ["gn_themes", "gn_themes$PRODUCT$wp_shortcodes_plugin_\u2014_shortcodes_ultimate", "wordpress", "wordpress$PRODUCT$wordpress"]}