{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27074", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-17T13:23:51.341Z", "datePublished": "2026-02-19T08:27:11.377Z", "dateUpdated": "2026-04-28T16:15:01.107Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "shortcoder", "product": "Shortcoder", "vendor": "vaakash", "versions": [{"changes": [{"at": "6.5.2", "status": "unaffected"}], "lessThanOrEqual": "6.5.1", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "thifx | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:05:14.074Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in vaakash Shortcoder shortcoder allows Stored XSS.<p>This issue affects Shortcoder: from n/a through <= 6.5.1.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in vaakash Shortcoder shortcoder allows Stored XSS.This issue affects Shortcoder: from n/a through <= 6.5.1."}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "Stored XSS"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:15:01.107Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/shortcoder/vulnerability/wordpress-shortcoder-plugin-6-5-1-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "title": "WordPress Shortcoder plugin <= 6.5.1 - Cross Site Scripting (XSS) vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-27T16:23:49.586696Z", "id": "CVE-2026-27074", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T15:52:26.913Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27074", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-27T16:23:49.586696Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-27T16:24:07.240Z"}}], "cna": {"title": "WordPress Shortcoder plugin <= 6.5.1 - Cross Site Scripting (XSS) vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "thifx | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "Stored XSS"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "vaakash", "product": "Shortcoder", "versions": [{"status": "affected", "changes": [{"at": "6.5.2", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "6.5.1"}], "packageName": "shortcoder", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-01T16:05:14.074Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/shortcoder/vulnerability/wordpress-shortcoder-plugin-6-5-1-cross-site-scripting-xss-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in vaakash Shortcoder shortcoder allows Stored XSS.This issue affects Shortcoder: from n/a through <= 6.5.1.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in vaakash Shortcoder shortcoder allows Stored XSS.<p>This issue affects Shortcoder: from n/a through <= 6.5.1.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:15:01.107Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27074", "state": "PUBLISHED", "dateUpdated": "2026-04-28T16:15:01.107Z", "dateReserved": "2026-02-17T13:23:51.341Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-19T08:27:11.377Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in vaakash Shortcoder shortcoder allows Stored XSS.This issue affects Shortcoder: from n/a through <= 6.5.1."}, {"lang": "es", "value": "Neutralizaci\u00f3n Incorrecta de la Entrada Durante la Generaci\u00f3n de P\u00e1ginas Web ('cross-site scripting') vulnerabilidad en vaakash Shortcoder shortcoder permite XSS Almacenado. Este problema afecta a Shortcoder: desde n/d hasta &lt;= 6.5.1."}], "id": "CVE-2026-27074", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 3.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-19T09:16:27.770", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/shortcoder/vulnerability/wordpress-shortcoder-plugin-6-5-1-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,6.5.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Shortcoder", "source": "cna", "vendor": "vaakash"}, "product": "shortcoder", "vendor": "vaakash"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-16T06:27:11.034410+00:00", "value": {"mitigation_remediation": ["Install the latest Shortcoder plugin release that addresses the XSS issue, if one is available.", "If updating is not immediately possible, temporarily disable the Shortcoder plugin or remove any untrusted content that may have been injected.", "Apply a web application firewall rule to block or sanitize scripts submitted through the Shortcoder interface."], "summary": {"action": "Update Plugin", "impact": "Stored Cross-site Scripting (CWE-79)"}, "threat_synthesis": {"affected_systems": "The vulnerability impacts the WordPress Shortcoder plugin packaged by the vendor vaakash. All releases up to and including version 6.5.1 are affected; no earlier or later versions are known to be vulnerable.", "description_and_impact": "The Shortcoder WordPress plugin version 6.5.1 and earlier stores user input without proper neutralization, enabling stored cross\u2011site scripting (XSS). An attacker who can insert content through the plugin\u2019s interface can embed malicious JavaScript that executes in the browsers of all visitors who load the affected page. This can lead to session hijacking, credential theft, defacement, or the delivery of malware, compromising the confidentiality and integrity of user sessions and data.", "risk_and_exploitability": "The CVSS base score of 6.5 indicates moderate severity, while the EPSS score of less than 1% suggests rare exploitation. The vulnerability is not listed in CISA\u2019s KEV catalog. Attackers likely need administrative or editing access to inject malicious payloads, and the stored nature of the flaw implies that a single compromised content entry can affect all site visitors. Given the low exploitation probability, the risk to organizations that do not expose the plugin\u2019s content editor to untrusted users is lower, but the potential impact warrants mitigation."}}}}, "created": "2026-02-20T10:08:00.287887+00:00", "updated": "2026-04-16T06:30:06.030093+00:00", "vendors": ["vaakash", "vaakash$PRODUCT$shortcoder", "wordpress", "wordpress$PRODUCT$wordpress"]}