CVE-2026-0738 affects Shortcodes Ultimate and is an authenticated Author+ stored cross site scripting vulnerability in the su_carousel shortcode. In versions through 7.4.8, an unsafe value in the su_slide_link attachment field can be stored and rendered in carousel output. When a visitor moves the pointer over the affected slide link, browser code can run in that visitor’s session.

CVECVE-2026-0738
Plugin VersionShortcodes Ultimate <= 7.4.8, fixed in 7.4.9
All Time24 786 536
Active installations400 000+
Publicly PublishedApril 3, 2026
Last UpdatedApril 4, 2026
ResearcherDmitrii Ignatyev
PoCYes
ExploitNo
Referencehttps://www.cve.org/CVERecord?id=CVE-2026-0738
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/shortcodes-ultimate/shortcodes-ultimate-748-authenticated-contributor-stored-cross-site-scripting-via-su-carousel-shortcode
Plugin Security Certification by CleanTalk
Logo of the pluginShortcodes Ultimate

Join the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.

PSC by Cleantalk

Timeline

January 6, 2026Plugin testing and vulnerability detection in Shortcodes Ultimate were completed.
January 6, 2026The vulnerability was reported with PoC, description, and recommendations for remediation.
April 3, 2026CVE-2026-0738 was publicly published by Wordfence.

Discovery of the Vulnerability

During testing, the vulnerable surface was the Slide link value saved in the su_slide_link attachment meta field. The su_carousel shortcode can load media attachments from its source attribute and use the stored slide link when it generates the carousel markup.

In affected versions, the attachment value was not sufficiently sanitized before it was stored and rendered. A crafted quote can break out of the intended attribute context and add an event handler to the carousel link. An Author can edit their own media and create posts, which is enough to persist the payload in content served by the site.

Understanding of Stored XSS attacks

Stored cross site scripting occurs when user controlled data is saved by an application and later returned to a browser without the required validation and context-aware escaping. The payload does not need to be sent again because it stays with the stored object and can affect every page that renders it.

Attachment metadata is a sensitive boundary in WordPress because it is often reused across posts and rendered by plugins in different contexts. If an image field is inserted into an HTML attribute without strict URL validation and attribute escaping, a trusted visitor can trigger code that was supplied by an author-level account.

Exploiting the Stored XSS Vulnerability

An authenticated Author or higher user can set a crafted Slide link on an image and then reference that image in a custom su_carousel shortcode. The following proof of concept is limited to a browser alert.

POC:

POC:
1. Log in with an Author or higher WordPress account.
2. Create a new image in the Media Library.
3. Set the Slide link field to 123" onmouseover=alert(1)//.
4. Note the image ID.
5. Create a new post with the shortcode below. Replace 107 with the image ID if needed.

[su_carousel link="custom" source="media: 107"]

6. Open the post and move the pointer over the affected carousel slide link.

____

The payload only opens a browser alert. It demonstrates stored client-side execution without adding extra actions or destructive behavior.

Recommendations for Improved Security

Site owners should update Shortcodes Ultimate to version 7.4.9 or a newer release. They should also limit media editing and publishing capabilities to roles that need them.

Developers should validate slide links against an explicit allowlist of URL protocols before saving attachment metadata. The value must also be escaped for the final HTML attribute context so quotes and event handlers cannot alter the generated carousel markup.

By addressing Stored XSS like CVE-2026-0738, WordPress site owners can reduce the risk from unsafe carousel rendering and protect visitors from browser-side compromise. Stay vigilant, stay secure.

#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #MediumVulnerability

Use CleanTalk solutions to improve the security of your website

CVE-2026-0738 – Shortcodes Ultimate – Stored XSS – POC

Dmitrii I

Pentester with 5 years of hands-on experience securing WordPress and web applications, holding OSWE, OSEP, OSCP, and OSWP certifications. Author of 450 published CVEs, including 35 disclosed within the last month. Specializes in discovering and validating high-impact vulnerabilities in WordPress plugins/themes / Custom WEB applications and delivering actionable remediation guidance to harden production sites.

Visit Author's Website

See all posts by dmitrii-ignatyev