cleantalk
Vulnerabilities and Security Researches

WP Shortcodes Plugin — Shortcodes Ultimate, CVE-2026-0737

CVE, Research URL

CVE-2026-0737

Home page URL

Security reports for WP Shortcodes Plugin — Shortcodes Ultimate

Application

WP Shortcodes Plugin — Shortcodes Ultimate

Published on
Apr 04, 2026
Research Description
The WP Shortcodes Plugin - Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 7.4.7. This is due to insufficient input sanitization and output escaping in the 'src' attribute of the su_lightbox shortcode. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
max 7.4.8.
Status
vulnerable
Previous vulnerability researches
WP Shortcodes Plugin — Shortcodes Ultimate (CVE-2024-8500) , Oct 23, 2024
WP Shortcodes Plugin — Shortcodes Ultimate (CVE-2025-0370) , Mar 05, 2025
WP Shortcodes Plugin — Shortcodes Ultimate (CVE-2023-33999) , Jun 13, 2026
WP Shortcodes Plugin — Shortcodes Ultimate (CVE-2025-5567) , Jul 05, 2025
WP Shortcodes Plugin — Shortcodes Ultimate (CVE-2025-49244) , Jun 13, 2026
New vulnerability
EventPrime – Events Calendar, Bookings and Tickets (CVE-2025-63007) , Jun 14, 2026
EventPrime – Events Calendar, Bookings and Tickets (CVE-2026-24378) , Jun 14, 2026
EventPrime – Events Calendar, Bookings and Tickets (CVE-2025-69358) , Jun 14, 2026
EventPrime – Events Calendar, Bookings and Tickets (CVE-2025-63006) , Jun 14, 2026
LWS Optimize (CVE-2026-12089) , Jun 14, 2026