Description
The The Shortcode Ajax plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.0. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
Published: 2025-12-13
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary Shortcode Execution
Action: Patch
AI Analysis

Impact

The Shortcode Ajax plugin for WordPress allows unauthenticated users to execute any shortcode via the WordPress template engine. The vulnerability arises from the lack of input validation on the 'code' parameter before calling do_shortcode. The impact of the flaw depends on the functionality of the shortcode that is executed, as shortcodes can perform a wide range of actions.

Affected Systems

Vendors: rang501, Product: Shortcode Ajax, Version: all releases up to and including 1.0 are impacted. No further version information is available in the public data.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity, and the EPSS score of less than 1% suggests a low probability of exploitation. The attack vector is remote and does not require authentication, using the public 'code' endpoint. The vulnerability is not listed in the CISA KEV catalog. An attacker can execute arbitrary shortcodes; the resulting impact depends on what the shortcode does, which could potentially include data disclosure or other effects. This potential impact is inferred from the nature of arbitrary code execution.

Generated by OpenCVE AI on April 22, 2026 at 00:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Shortcode Ajax plugin to a version newer than 1.0 or uninstall it entirely.
  • If the plugin must remain, configure your site to disallow execution of unknown shortcodes by defining a whitelist or disabling the do_shortcode function for unauthenticated requests.
  • Ensure that the 'code' parameter and similar inputs are subjected to strict validation before passing them to any template engine to prevent future injection or execution flaws.

Generated by OpenCVE AI on April 22, 2026 at 00:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 15 Dec 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 14 Dec 2025 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Sat, 13 Dec 2025 04:45:00 +0000

Type Values Removed Values Added
Description The The Shortcode Ajax plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.0. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
Title Shortcode Loader <= 1.0 - Unauthenticated Arbitrary Shortcode Execution via 'code' Parameter
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:06:17.381Z

Reserved: 2025-12-11T11:11:50.073Z

Link: CVE-2025-14539

cve-icon Vulnrichment

Updated: 2025-12-15T15:43:19.723Z

cve-icon NVD

Status : Deferred

Published: 2025-12-13T16:16:51.107

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14539

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T00:15:03Z

Weaknesses