Description
The Query Shortcode plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 0.2.1 via the shortcode function. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
Published: 2026-05-27
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Query Shortcode plugin for WordPress contains a Local File Inclusion flaw triggered by the 'lens' shortcode attribute. An authenticated user with Contributor or higher privileges can embed a crafted shortcode in a post or page, causing the plugin to include a server‑side file path. If the file is a PHP script, its contents execute within the WordPress context, allowing the attacker to bypass access controls, read or modify sensitive files, or run arbitrary PHP code.

Affected Systems

The vulnerability affects all WordPress sites running the Query Shortcode plugin by shazdeh, versions up to and including 0.2.1. Any installation of the plugin before the patched release is vulnerable; no other vendors or products are implicated.

Risk and Exploitability

With a CVSS score of 7.5 the issue is considered high severity. The EPSS score is not available, and it is not listed in the CISA KEV catalog, indicating no widespread exploitation yet. The flaw requires an authenticated user with at least Contributor role and the ability to add the 'lens' shortcode. Once these conditions are met, the attacker can include arbitrary files and execute PHP code, posing a substantial risk to confidentiality, integrity, and availability of the WordPress installation.

Generated by OpenCVE AI on May 27, 2026 at 08:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Query Shortcode to a version newer than 0.2.1 or uninstall the plugin if it is no longer needed.
  • If an upgrade is not immediately possible, revoke Contributor permissions or remove the 'lens' shortcode functionality so that no user can pass that attribute.
  • Enable detailed logging of PHP file inclusions and monitor server logs for unexpected file access attempts, applying strict file system permissions to restrict readable directories.

Generated by OpenCVE AI on May 27, 2026 at 08:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Shazdeh
Shazdeh query Shortcode
Wordpress
Wordpress wordpress
Vendors & Products Shazdeh
Shazdeh query Shortcode
Wordpress
Wordpress wordpress

Wed, 27 May 2026 06:30:00 +0000

Type Values Removed Values Added
Description The Query Shortcode plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 0.2.1 via the shortcode function. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
Title Query Shortcode <= 0.2.1 - Authenticated (Contributor+) Local File Inclusion via 'lens' Shortcode Attribute
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Shazdeh Query Shortcode
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-27T10:38:37.601Z

Reserved: 2026-05-21T15:43:41.982Z

Link: CVE-2026-9200

cve-icon Vulnrichment

Updated: 2026-05-27T10:38:32.981Z

cve-icon NVD

Status : Received

Published: 2026-05-27T07:16:19.157

Modified: 2026-05-27T07:16:19.157

Link: CVE-2026-9200

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T10:07:38Z

Weaknesses