{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2480", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-13T18:13:56.168Z", "datePublished": "2026-03-31T22:26:03.703Z", "dateUpdated": "2026-04-08T16:56:53.775Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:56:53.775Z"}, "affected": [{"vendor": "gn_themes", "product": "WP Shortcodes Plugin \u2014 Shortcodes Ultimate", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "7.4.10", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WP Shortcodes Plugin \u2014 Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'max_width' attribute of the `su_box` shortcode in all versions up to, and including, 7.4.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "WP Shortcodes Plugin \u2014 Shortcodes Ultimate <= 7.4.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'max_width' Shortcode Attribute", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/61ab7a28-bcca-41ff-89d1-c083c6b0d39f?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/shortcodes-ultimate/tags/7.4.9/includes/shortcodes/box.php#L107"}, {"url": "https://plugins.trac.wordpress.org/browser/shortcodes-ultimate/tags/7.4.9/includes/shortcodes/box.php#L113"}, {"url": "https://plugins.trac.wordpress.org/changeset/3489360/shortcodes-ultimate/trunk/includes/shortcodes/box.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Michael Iden"}], "timeline": [{"time": "2026-02-13T18:29:12.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-03-31T10:25:05.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-01T15:21:47.162095Z", "id": "CVE-2026-2480", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T15:52:22.500Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WP Shortcodes Plugin \u2014 Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'max_width' attribute of the `su_box` shortcode in all versions up to, and including, 7.4.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El plugin WP Shortcodes Plugin \u2014 Shortcodes Ultimate para WordPress es vulnerable a cross-site scripting almacenado a trav\u00e9s del atributo 'max_width' del shortcode 'su_box' en todas las versiones hasta la 7.4.10, inclusive, debido a una sanitizaci\u00f3n de entrada y escape de salida insuficientes en los atributos proporcionados por el usuario. Esto permite a atacantes autenticados, con acceso de nivel de colaborador y superior, inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "id": "CVE-2026-2480", "lastModified": "2026-04-24T18:12:06.580", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-03-31T23:17:08.233", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/shortcodes-ultimate/tags/7.4.9/includes/shortcodes/box.php#L107"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/shortcodes-ultimate/tags/7.4.9/includes/shortcodes/box.php#L113"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3489360/shortcodes-ultimate/trunk/includes/shortcodes/box.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/61ab7a28-bcca-41ff-89d1-c083c6b0d39f?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,7.4.10]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "WP Shortcodes Plugin \u2014 Shortcodes Ultimate", "source": "cna", "vendor": "gn_themes"}, "product": "wp_shortcodes_plugin_\u2014_shortcodes_ultimate", "vendor": "gn_themes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-01T05:35:49.522184+00:00", "value": {"mitigation_remediation": ["Upgrade to WP Shortcodes Plugin \u2013 Shortcodes Ultimate version 7.4.11 or later, which fixes the input sanitization issue.", "If upgrading is not immediately possible, restrict the use of the su_box shortcode to trusted users or remove it from publicly accessible content.", "Audit existing pages that use the su_box shortcode for hidden or malformed attributes and clean or remove them.", "Apply general security hygiene: review role permissions, enforce least privilege, and monitor for unexpected script execution."], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The vulnerability exists in the WP Shortcodes Plugin \u2013 Shortcodes Ultimate for WordPress, every version up to and including 7.4.10. Users with contributor or higher privileges are able to inject the payload, though any site visitor may be impacted when the malicious content is displayed.", "description_and_impact": "The plugin accepts a 'max_width' attribute on the su_box shortcode and does not properly escape user input. An attacker who has contributor\u2011level access can supply malicious JavaScript in this attribute. The code is stored in the database and rendered in any page that uses the shortcode, meaning that every visitor to the affected page will execute the injected script. This can lead to session hijacking, cookie theft, malicious redirects, or defacement.", "risk_and_exploitability": "The CVSS score of 6.4 indicates moderate severity. Because the attacker must be authenticated, the likelihood of exploitation is lower than a fully remote vulnerability; however, once authenticated the script executes for all users. The EPSS score is not available and the flaw is not listed in the CISA KEV catalog. The most probable attack path is an authenticated contributor editing a page or post that contains the su_box shortcode and inserting malicious code into the 'max_width' field."}}}}, "created": "2026-04-02T07:51:39.671375+00:00", "updated": "2026-04-02T20:09:59.441379+00:00", "vendors": ["gn_themes", "gn_themes$PRODUCT$wp_shortcodes_plugin_\u2014_shortcodes_ultimate", "wordpress", "wordpress$PRODUCT$wordpress"]}