CVE-2026-0738 affects Shortcodes Ultimate and is an authenticated Author+ stored cross site scripting vulnerability in the su_carousel shortcode. In versions through 7.4.8, an unsafe value in the su_slide_link attachment field can be stored and rendered in carousel output. When a visitor moves the pointer over the affected slide link, browser code can run in that visitor’s session.
| CVE | CVE-2026-0738 |
| Plugin Version | Shortcodes Ultimate <= 7.4.8, fixed in 7.4.9 |
| All Time | 24 786 536 |
| Active installations | 400 000+ |
| Publicly Published | April 3, 2026 |
| Last Updated | April 4, 2026 |
| Researcher | Dmitrii Ignatyev |
| PoC | Yes |
| Exploit | No |
| Reference | https://www.cve.org/CVERecord?id=CVE-2026-0738 https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/shortcodes-ultimate/shortcodes-ultimate-748-authenticated-contributor-stored-cross-site-scripting-via-su-carousel-shortcode |
| Plugin Security Certification by CleanTalk | ![]() |
| Logo of the plugin |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| January 6, 2026 | Plugin testing and vulnerability detection in Shortcodes Ultimate were completed. |
| January 6, 2026 | The vulnerability was reported with PoC, description, and recommendations for remediation. |
| April 3, 2026 | CVE-2026-0738 was publicly published by Wordfence. |
Discovery of the Vulnerability
During testing, the vulnerable surface was the Slide link value saved in the su_slide_link attachment meta field. The su_carousel shortcode can load media attachments from its source attribute and use the stored slide link when it generates the carousel markup.
In affected versions, the attachment value was not sufficiently sanitized before it was stored and rendered. A crafted quote can break out of the intended attribute context and add an event handler to the carousel link. An Author can edit their own media and create posts, which is enough to persist the payload in content served by the site.
Understanding of Stored XSS attacks
Stored cross site scripting occurs when user controlled data is saved by an application and later returned to a browser without the required validation and context-aware escaping. The payload does not need to be sent again because it stays with the stored object and can affect every page that renders it.
Attachment metadata is a sensitive boundary in WordPress because it is often reused across posts and rendered by plugins in different contexts. If an image field is inserted into an HTML attribute without strict URL validation and attribute escaping, a trusted visitor can trigger code that was supplied by an author-level account.
Exploiting the Stored XSS Vulnerability
An authenticated Author or higher user can set a crafted Slide link on an image and then reference that image in a custom su_carousel shortcode. The following proof of concept is limited to a browser alert.
POC:
POC: 1. Log in with an Author or higher WordPress account. 2. Create a new image in the Media Library. 3. Set the Slide link field to 123" onmouseover=alert(1)//. 4. Note the image ID. 5. Create a new post with the shortcode below. Replace 107 with the image ID if needed. [su_carousel link="custom" source="media: 107"] 6. Open the post and move the pointer over the affected carousel slide link.____
The payload only opens a browser alert. It demonstrates stored client-side execution without adding extra actions or destructive behavior.
Recommendations for Improved Security
Site owners should update Shortcodes Ultimate to version 7.4.9 or a newer release. They should also limit media editing and publishing capabilities to roles that need them.
Developers should validate slide links against an explicit allowlist of URL protocols before saving attachment metadata. The value must also be escaped for the final HTML attribute context so quotes and event handlers cannot alter the generated carousel markup.
By addressing Stored XSS like CVE-2026-0738, WordPress site owners can reduce the risk from unsafe carousel rendering and protect visitors from browser-side compromise. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #MediumVulnerability
Use CleanTalk solutions to improve the security of your website
