Description
The Shortcode Buddy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 0.1.9.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-05-27
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Shortcode Buddy plugin contains insufficient input sanitization and output escaping for shortcode attributes. This flaw enables authenticated users with contributor or higher privileges to store malicious JavaScript in content that will execute whenever any site visitor opens the affected page. Successful exploitation could deface or alter content, steal session cookies, or serve further malware to other users.

Affected Systems

WordPress sites that use the Shortcode Buddy plugin by Vincent Astolfi, version 0.1.9.5 or earlier.

Risk and Exploitability

The CVSS score of 6.4 classifies this flaw as medium severity. EPSS data is not available. The issue is not listed in CISA KEV. The typical attack path requires the attacker to be authenticated with at least contributor access and the ability to edit or create shortcodes. Once a malicious shortcode is saved, the embedded script runs automatically for any visitor who views the affected page.

Generated by OpenCVE AI on May 27, 2026 at 08:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Shortcode Buddy plugin to a version newer than 0.1.9.5 or uninstall the plugin if no fixed release is available.
  • Review user roles to ensure that only trusted users have contributor or higher permissions for editing shortcodes.
  • Audit existing shortcode content for unexpected JavaScript and remove or sanitize any that is not intended.

Generated by OpenCVE AI on May 27, 2026 at 08:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Vincentastolfi
Vincentastolfi shortcode Buddy
Wordpress
Wordpress wordpress
Vendors & Products Vincentastolfi
Vincentastolfi shortcode Buddy
Wordpress
Wordpress wordpress

Wed, 27 May 2026 06:30:00 +0000

Type Values Removed Values Added
Description The Shortcode Buddy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 0.1.9.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Shortcode Buddy <= 0.1.9.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Vincentastolfi Shortcode Buddy
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-27T10:38:10.671Z

Reserved: 2026-05-18T21:05:10.205Z

Link: CVE-2026-8897

cve-icon Vulnrichment

Updated: 2026-05-27T10:38:06.154Z

cve-icon NVD

Status : Received

Published: 2026-05-27T07:16:17.847

Modified: 2026-05-27T07:16:17.847

Link: CVE-2026-8897

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T10:07:34Z

Weaknesses