CVE-2026-0737 affects Shortcodes Ultimate and is an authenticated Contributor+ stored cross site scripting vulnerability in the su_lightbox shortcode. In versions through 7.4.7, an attacker can store a crafted value in the shortcode src attribute. When a visitor activates the injected lightbox link, browser code can run in that visitor’s session.
| CVE | CVE-2026-0737 |
| Plugin Version | Shortcodes Ultimate <= 7.4.7, fixed in 7.4.8 |
| All Time | 24 786 536 |
| Active installations | 400 000+ |
| Publicly Published | April 3, 2026 |
| Last Updated | April 4, 2026 |
| Researcher | Dmitrii Ignatyev |
| PoC | Yes |
| Exploit | No |
| Reference | https://www.cve.org/CVERecord?id=CVE-2026-0737 https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/shortcodes-ultimate/shortcodes-ultimate-747-authenticated-contributor-stored-cross-site-scripting-via-su-lightbox-shortcode |
| Plugin Security Certification by CleanTalk | ![]() |
| Logo of the plugin |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| December 30, 2025 | Plugin testing and vulnerability detection in Shortcodes Ultimate were completed. |
| December 30, 2025 | The vulnerability was reported with PoC, description, and recommendations for remediation. |
| April 3, 2026 | CVE-2026-0737 was publicly published by Wordfence. |
Discovery of the Vulnerability
During testing, the vulnerable surface was the src attribute handled by the su_lightbox shortcode. In affected versions, an entity-encoded JavaScript scheme can pass through the shortcode processing and reach the generated frontend link.
The shortcode did not sufficiently restrict the URL protocol before rendering the value. A Contributor or higher role can therefore store a crafted shortcode in post content and leave a browser-side payload for a visitor who follows the resulting link.
Understanding of Stored XSS attacks
Stored cross site scripting occurs when an application saves attacker controlled content and later returns it to a browser without applying the right validation and output escaping. In WordPress, post content and shortcodes can turn a single malicious submission into a persistent payload that remains until the content is removed or corrected.
The Contributor+ requirement limits the initial attacker, but many sites accept content from contributors, editors, and other non-administrative roles. A stored shortcode can reach readers, reviewers, or administrators and may execute with the permissions available in the browser session that activates it.
Exploiting the Stored XSS Vulnerability
An authenticated user with the Contributor role or higher can add the affected shortcode to a post. The following non-destructive proof of concept shows the stored payload used during testing.
POC:
POC: 1. Log in with a Contributor or higher WordPress account. 2. Create or edit a post. 3. Insert the shortcode below into the post content. 4. Submit the post for review or publish it with an authorized role. 5. Open the post and select the lightbox link. [su_lightbox type="iframe" src="javascript:alert(1)"]click[/su_lightbox]____
The payload only opens a browser alert. It demonstrates the unsafe stored script execution path without performing additional actions.
Recommendations for Improved Security
Site owners should update Shortcodes Ultimate to version 7.4.8 or a newer release. They should also review who may create or edit content that uses plugin shortcodes, especially on sites that accept contributor submissions.
Developers should validate the src value against an explicit allowlist of safe URL protocols before storing or rendering it. The final link attribute should be escaped for its HTML context, and unsafe schemes such as javascript should be rejected after decoding.
By addressing Stored XSS like CVE-2026-0737, WordPress site owners can reduce the risk from unsafe shortcode rendering and protect visitors from browser-side compromise. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #MediumVulnerability
Use CleanTalk solutions to improve the security of your website
