CVE-2026-0737 affects Shortcodes Ultimate and is an authenticated Contributor+ stored cross site scripting vulnerability in the su_lightbox shortcode. In versions through 7.4.7, an attacker can store a crafted value in the shortcode src attribute. When a visitor activates the injected lightbox link, browser code can run in that visitor’s session.

CVECVE-2026-0737
Plugin VersionShortcodes Ultimate <= 7.4.7, fixed in 7.4.8
All Time24 786 536
Active installations400 000+
Publicly PublishedApril 3, 2026
Last UpdatedApril 4, 2026
ResearcherDmitrii Ignatyev
PoCYes
ExploitNo
Referencehttps://www.cve.org/CVERecord?id=CVE-2026-0737
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/shortcodes-ultimate/shortcodes-ultimate-747-authenticated-contributor-stored-cross-site-scripting-via-su-lightbox-shortcode
Plugin Security Certification by CleanTalk
Logo of the pluginShortcodes Ultimate

Join the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.

PSC by Cleantalk

Timeline

December 30, 2025Plugin testing and vulnerability detection in Shortcodes Ultimate were completed.
December 30, 2025The vulnerability was reported with PoC, description, and recommendations for remediation.
April 3, 2026CVE-2026-0737 was publicly published by Wordfence.

Discovery of the Vulnerability

During testing, the vulnerable surface was the src attribute handled by the su_lightbox shortcode. In affected versions, an entity-encoded JavaScript scheme can pass through the shortcode processing and reach the generated frontend link.

The shortcode did not sufficiently restrict the URL protocol before rendering the value. A Contributor or higher role can therefore store a crafted shortcode in post content and leave a browser-side payload for a visitor who follows the resulting link.

Understanding of Stored XSS attacks

Stored cross site scripting occurs when an application saves attacker controlled content and later returns it to a browser without applying the right validation and output escaping. In WordPress, post content and shortcodes can turn a single malicious submission into a persistent payload that remains until the content is removed or corrected.

The Contributor+ requirement limits the initial attacker, but many sites accept content from contributors, editors, and other non-administrative roles. A stored shortcode can reach readers, reviewers, or administrators and may execute with the permissions available in the browser session that activates it.

Exploiting the Stored XSS Vulnerability

An authenticated user with the Contributor role or higher can add the affected shortcode to a post. The following non-destructive proof of concept shows the stored payload used during testing.

POC:

POC:
1. Log in with a Contributor or higher WordPress account.
2. Create or edit a post.
3. Insert the shortcode below into the post content.
4. Submit the post for review or publish it with an authorized role.
5. Open the post and select the lightbox link.

[su_lightbox type="iframe" src="javas&#99;ript:alert(1)"]click[/su_lightbox]

____

The payload only opens a browser alert. It demonstrates the unsafe stored script execution path without performing additional actions.

Recommendations for Improved Security

Site owners should update Shortcodes Ultimate to version 7.4.8 or a newer release. They should also review who may create or edit content that uses plugin shortcodes, especially on sites that accept contributor submissions.

Developers should validate the src value against an explicit allowlist of safe URL protocols before storing or rendering it. The final link attribute should be escaped for its HTML context, and unsafe schemes such as javascript should be rejected after decoding.

By addressing Stored XSS like CVE-2026-0737, WordPress site owners can reduce the risk from unsafe shortcode rendering and protect visitors from browser-side compromise. Stay vigilant, stay secure.

#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #MediumVulnerability

Use CleanTalk solutions to improve the security of your website

CVE-2026-0737 – Shortcodes Ultimate – Stored XSS – POC

Dmitrii I

Pentester with 5 years of hands-on experience securing WordPress and web applications, holding OSWE, OSEP, OSCP, and OSWP certifications. Author of 450 published CVEs, including 35 disclosed within the last month. Specializes in discovering and validating high-impact vulnerabilities in WordPress plugins/themes / Custom WEB applications and delivering actionable remediation guidance to harden production sites.

Visit Author's Website

See all posts by dmitrii-ignatyev