Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in vaakash Shortcoder shortcoder allows Stored XSS.This issue affects Shortcoder: from n/a through <= 6.5.1.
Published: 2026-02-19
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross-site Scripting (CWE-79)
Action: Update Plugin
AI Analysis

Impact

The Shortcoder WordPress plugin version 6.5.1 and earlier stores user input without proper neutralization, enabling stored cross‑site scripting (XSS). An attacker who can insert content through the plugin’s interface can embed malicious JavaScript that executes in the browsers of all visitors who load the affected page. This can lead to session hijacking, credential theft, defacement, or the delivery of malware, compromising the confidentiality and integrity of user sessions and data.

Affected Systems

The vulnerability impacts the WordPress Shortcoder plugin packaged by the vendor vaakash. All releases up to and including version 6.5.1 are affected; no earlier or later versions are known to be vulnerable.

Risk and Exploitability

The CVSS base score of 6.5 indicates moderate severity, while the EPSS score of less than 1% suggests rare exploitation. The vulnerability is not listed in CISA’s KEV catalog. Attackers likely need administrative or editing access to inject malicious payloads, and the stored nature of the flaw implies that a single compromised content entry can affect all site visitors. Given the low exploitation probability, the risk to organizations that do not expose the plugin’s content editor to untrusted users is lower, but the potential impact warrants mitigation.

Generated by OpenCVE AI on April 16, 2026 at 06:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Shortcoder plugin release that addresses the XSS issue, if one is available.
  • If updating is not immediately possible, temporarily disable the Shortcoder plugin or remove any untrusted content that may have been injected.
  • Apply a web application firewall rule to block or sanitize scripts submitted through the Shortcoder interface.

Generated by OpenCVE AI on April 16, 2026 at 06:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Vaakash
Vaakash shortcoder
Wordpress
Wordpress wordpress
Vendors & Products Vaakash
Vaakash shortcoder
Wordpress
Wordpress wordpress

Thu, 19 Feb 2026 08:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in vaakash Shortcoder shortcoder allows Stored XSS.This issue affects Shortcoder: from n/a through <= 6.5.1.
Title WordPress Shortcoder plugin <= 6.5.1 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Vaakash Shortcoder
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:15:01.107Z

Reserved: 2026-02-17T13:23:51.341Z

Link: CVE-2026-27074

cve-icon Vulnrichment

Updated: 2026-02-27T16:24:07.240Z

cve-icon NVD

Status : Deferred

Published: 2026-02-19T09:16:27.770

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-27074

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T06:30:06Z

Weaknesses