A critical vulnerability, CVE-2024-2583, has been uncovered in Shortcodes Ultimate, a popular WordPress plugin with over 600,000 installations. This flaw allows attackers to exploit Stored XSS, potentially leading to unauthorized admin account creation and compromising entire websites.

Main info:

PluginShortcodes Ultimate < 7.0.5
CriticalVery High
All Time19 068 645
Active installations600 000+
Publicly PublishedMarch 21, 2023
Last UpdatedMarch 21, 2023
ResearcherDmtirii Ignatyev
OWASP TOP-10A7: Cross-Site Scripting (XSS)
Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2583
Plugin Security Certification by CleanTalk


March 14, 2023Plugin testing and vulnerability detection in the Shortcodes Ultimate have been completed
March 14, 2023I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
March 21, 2024Registered CVE-2024-2583

Discovery of the Vulnerability

During plugin testing, security researchers discovered that Shortcodes Ultimate fails to properly sanitize user input, allowing contributors to inject malicious JavaScript code via shortcode attributes.

Understanding of Stored XSS attack’s

Stored XSS enables attackers to execute arbitrary code within the context of a website, posing significant security risks. In this case, by embedding crafted shortcodes, contributors can trigger malicious actions, such as creating admin accounts without proper validation.

Exploiting the Sensitive Data Exposure Vulnerability

Using a crafted shortcode like [su_note note_color=’123″onmouseover=”alert(1)”‘ text_color=’1′ radius=’1′ class=’1’ id=”1″], contributors can inject arbitrary JavaScript code. When an admin views the affected page, the injected script executes, potentially leading to admin account creation.


[su_note note_color=’123″onmouseover=”Malicious_Function_Here“‘ text_color=’1′ radius=’1′ class=’1’ id=”1”]Note text[/su_note]


This vulnerability poses severe risks, allowing attackers to gain unauthorized access to WordPress admin accounts. Such access grants them control over website content, user data, and potentially sensitive information, leading to data breaches, defacement, or further exploitation.

Recommendations for Improved Security

  • Update Immediately: WordPress site administrators must update Shortcodes Ultimate to the latest patched version to mitigate this vulnerability.
  • Regular Security Audits: Conduct regular security audits of plugins and themes to identify and address potential vulnerabilities promptly.
  • Input Sanitization: Developers should implement robust input validation and sanitization techniques to prevent XSS attacks.
  • Security Headers: Implement Content Security Policy (CSP) headers to mitigate the impact of XSS attacks.
  • User Education: Educate users on safe practices, such as avoiding executing scripts from untrusted sources and keeping plugins updated.

By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-2583, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.

#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #VeryHighVulnerability

Use CleanTalk solutions to improve the security of your website


Create your CleanTalk account

By signing up, you agree with license. Have an account? Log in.
CVE-2024-2583 – Shortcodes Ultimate – Stored XSS to Admin Account Creation (Contributor+) – POC

Leave a Reply

Your email address will not be published. Required fields are marked *