cleantalk
Vulnerabilities and Security Researches

WP Shortcodes Plugin — Shortcodes Ultimate, CVE-2026-2480

CVE, Research URL

CVE-2026-2480

Home page URL

Security reports for WP Shortcodes Plugin — Shortcodes Ultimate

Application

WP Shortcodes Plugin — Shortcodes Ultimate

Published on
Apr 01, 2026
Research Description
The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'max_width' attribute of the `su_box` shortcode in all versions up to, and including, 7.4.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
max 7.5.0.
Status
vulnerable
Previous vulnerability researches
WP Shortcodes Plugin — Shortcodes Ultimate (CVE-2024-8500) , Oct 23, 2024
WP Shortcodes Plugin — Shortcodes Ultimate (CVE-2025-0370) , Mar 05, 2025
WP Shortcodes Plugin — Shortcodes Ultimate (CVE-2023-33999) , Jun 13, 2026
WP Shortcodes Plugin — Shortcodes Ultimate (CVE-2025-5567) , Jul 05, 2025
WP Shortcodes Plugin — Shortcodes Ultimate (CVE-2025-49244) , Jun 13, 2026
New vulnerability
EventPrime – Events Calendar, Bookings and Tickets (CVE-2025-63007) , Jun 14, 2026
EventPrime – Events Calendar, Bookings and Tickets (CVE-2026-24378) , Jun 14, 2026
EventPrime – Events Calendar, Bookings and Tickets (CVE-2025-69358) , Jun 14, 2026
EventPrime – Events Calendar, Bookings and Tickets (CVE-2025-63006) , Jun 14, 2026
LWS Optimize (CVE-2026-12089) , Jun 14, 2026