Description
The Administrative Shortcodes plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 0.3.4 via the 'slug' attribute of the 'get_template' shortcode. This is due to insufficient path validation on user-supplied input passed to the get_template_part() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other "safe" file types can be uploaded and included.
Published: 2026-01-24
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote code execution via local file inclusion
Action: Patch immediately
AI Analysis

Impact

The vulnerability in Administrative Shortcodes allows authenticated users with Contributor-level permissions to supply a crafted ‘slug’ value to the get_template shortcode, which is passed unchecked to WordPress’s get_template_part() function. This lack of path validation lets the attacker include and execute arbitrary files on the server, including potentially user‑generated PHP files, enabling code execution, data theft, or escalation of privileges.

Affected Systems

WordPress sites running the Administrative Shortcodes plugin up to and including version 0.3.4 are affected. The plugin is most commonly found on public forums, community sites, or any WordPress installation that has installed Administrative Shortcodes and allows Contributor or higher roles to create or edit content containing shortcodes.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity. The EPSS score is less than 1 % and the vulnerability is not listed in the KEV catalog, suggesting low current exploitation probability, though the attack requires an authenticated Contributor or higher. Exploitation would involve uploading a specially crafted file or inserting a malicious ‘slug’ parameter into a page that is rendered with the get_template shortcode. If successful, the attacker could achieve full remote code execution on the site server.

Generated by OpenCVE AI on April 15, 2026 at 21:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Administrative Shortcodes plugin to the latest available version (0.3.5 or newer).
  • Disable or remove the get_template shortcode from content, or restrict its use to administrators only.
  • Ensure that the WordPress upload directory and other directories from which files may be uploaded do not allow PHP execution, and validate all file paths before inclusion.

Generated by OpenCVE AI on April 15, 2026 at 21:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 26 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 26 Jan 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Sat, 24 Jan 2026 07:45:00 +0000

Type Values Removed Values Added
Description The Administrative Shortcodes plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 0.3.4 via the 'slug' attribute of the 'get_template' shortcode. This is due to insufficient path validation on user-supplied input passed to the get_template_part() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other "safe" file types can be uploaded and included.
Title Administrative Shortcodes <= 0.3.4 - Authenticated (Contributor+) Local File Inclusion via 'slug' Shortcode Attribute
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:36:15.775Z

Reserved: 2026-01-20T19:59:34.956Z

Link: CVE-2026-1257

cve-icon Vulnrichment

Updated: 2026-01-26T15:30:22.367Z

cve-icon NVD

Status : Deferred

Published: 2026-01-24T08:16:09.517

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1257

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T21:45:14Z

Weaknesses