We’re actively acquiring WordPress agencies. Sell your WordPress business to Freshy.
Let’s discuss

WordPress Security Bulletin: WP Shortcodes Plugin – Shortcodes Ultimate (CVE-2026-2480)

Nick Paliughi
On this page

Security Alert Summary

The WP Shortcodes Plugin – Shortcodes Ultimate for WordPress contains a stored cross-site scripting (XSS) vulnerability in the su_box shortcode. Insufficient input sanitization and output escaping for the max_width attribute in affected versions allows authenticated users with contributor-level access or higher to inject script content that will execute when a page containing the injected shortcode is viewed.

CVE Details

  • CVE ID: CVE-2026-2480
  • Affected component: WP Shortcodes Plugin – Shortcodes Ultimate plugin for WordPress
  • Affected versions: All versions up to and including 7.4.10
  • Published: March 31, 2026 at 11:17:08 PM
  • Last modified: April 1, 2026 at 2:23:37 PM
  • CVSS v3.1: Base Score 6.4, MEDIUM
    • CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
  • Authentication / privileges / user interaction:
    • Authentication: authenticated users (contributor-level access and above)
    • Privileges Required: LOW
    • User Interaction: NONE
    • Attack Vector: NETWORK
    • Scope: CHANGED
  • Primary impact: Confidentiality: LOW; Integrity: LOW; Availability: NONE
  • CWE: CWE-79 (Improper Neutralization of Input During Web Page Generation – Cross-site Scripting)

Technical Details

This vulnerability is a stored cross-site scripting issue caused by insufficient input sanitization and output escaping of user-supplied attributes for the su_box shortcode. Specifically, the max_width attribute can contain attacker-controlled values that are not properly sanitized or escaped before being rendered on pages.

An authenticated user with contributor-level access or higher can create or edit content that includes a crafted su_box shortcode with a malicious max_width attribute. When another user views the page containing the injected shortcode, the injected script code is executed in the context of the viewer’s browser, allowing actions consistent with a stored XSS impact (for example, script-driven UI actions, data exposure within the page, or session-based interactions available to the viewer).

The issue exists because user-supplied shortcode attributes are handled without sufficient sanitization and output escaping, allowing arbitrary script payloads to be stored and later rendered to site visitors.

How This Could Impact Your Website

Consider a site with multiple contributors: a site owner who manages overall settings, internal staff who create and edit pages, and external contractors who contribute content. If a contributor or compromised contractor submits content containing a malicious su_box shortcode using the max_width attribute, that payload can be stored and executed whenever other users visit the affected page.

  • Internal staff or editors viewing the page could have page-level data exposed to an attacker-controlled script.
  • Exposed emails or page content can increase the risk of targeted phishing or social engineering against staff or subscribers.
  • While the CVSS impacts indicate limited confidentiality and integrity effects rather than full system takeover, the presence of stored XSS still enables browser-based attacks against users who view injected pages.

If youre unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.

Recommended Actions

  • Update the affected plugin as soon as a patched version is available.
  • Review and reduce unnecessary user roles, especially contributor-level accounts.
  • Enforce strong passwords and two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins from your site.
  • Monitor site activity and page content for unusual changes or unexpected shortcode usage.

If youd like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

Nick Paliughihttps://freshysites.com/team/nick-paliughi/
Nick was born in California and now resides in Lake Worth, FL. He has 10 years of experience building and maintaining sites in WordPress, which he is excited to put to use at Freshy. Prior to starting at Freshy in 2022 his focus was on WordPress security & malware removal. When he’s not tending to your website, Nick is installing exhibitions at art galleries and museums in Palm Beach County, and if he’s lucky surfing at the Lake Worth pier.

See our featured website design work

Check out some of the beautiful websites we’ve built for over 2,000 clients.

View projects

We offer WordPress support & maintenance

Shake the stress of ongoing maintenance with plans supported by our team of WordPress experts.

Learn more
Previous Post
WordPress Security Bulletin: Booking for Appointments and Events Calendar – Amelia Plugin Vulnerability (CVE-2026-4668)
Next Post
WordPress Security Bulletin: Database for Contact Form 7, WPforms, Elementor forms Plugin Vulnerability (CVE-2026-3831)