Description
The The Show Me The Cookies plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.0. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
Published: 2025-02-22
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Apply patch
AI Analysis

Impact

The Show Me The Cookies plugin for WordPress permits arbitrary shortcode execution in all releases through version 1.0. The flaw occurs because a user‑controlled value is fed directly into do_shortcode without validation, allowing an attacker to inject and run any shortcode. Since WordPress shortcodes can contain PHP code, this vulnerability falls under CWE‑94 and permits remote code execution, data exfiltration, or site defacement.

Affected Systems

Any WordPress site running the versluis Show Me The Cookies plugin, version 1.0 or earlier, is affected. No later versions have been reported to be impacted.

Risk and Exploitability

The CVSS base score of 7.3 indicates moderate severity, while the EPSS score of less than 1 % shows a very low likelihood of current exploitation. The flaw is unauthenticated, meaning any external web request that triggers do_shortcode can be used to exploit the site. The vulnerability is not listed in CISA’s KEV catalog, so no widespread active exploits are known, but the potential for remote code execution makes it a high‑priority issue for owners.

Generated by OpenCVE AI on April 21, 2026 at 22:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Show Me The Cookies plugin to any release newer than 1.0 to remove the insecure shortcode execution path.
  • If no newer release is available, disable or delete the plugin to eliminate the attack surface.
  • As a temporary safeguard, restrict access to the do_shortcode function by enforcing role‑based limits or installing a security plugin that blocks shortcode execution for unauthenticated users.

Generated by OpenCVE AI on April 21, 2026 at 22:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-4445 The The Show Me The Cookies plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.0. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
History

Sat, 22 Feb 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 22 Feb 2025 03:30:00 +0000

Type Values Removed Values Added
Description The The Show Me The Cookies plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.0. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
Title Show Me The Cookies <= 1.0 - Unauthenticated Arbitrary Shortcode Execution
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:57:53.993Z

Reserved: 2025-02-20T19:14:27.930Z

Link: CVE-2025-1509

cve-icon Vulnrichment

Updated: 2025-02-22T15:29:43.468Z

cve-icon NVD

Status : Received

Published: 2025-02-22T04:15:09.883

Modified: 2025-02-22T04:15:09.883

Link: CVE-2025-1509

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T22:30:06Z

Weaknesses