{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0738", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-08T16:22:58.964Z", "datePublished": "2026-04-04T07:41:58.385Z", "dateUpdated": "2026-04-08T16:55:30.862Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:55:30.862Z"}, "affected": [{"vendor": "gn_themes", "product": "WP Shortcodes Plugin \u2014 Shortcodes Ultimate", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "7.4.8", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WP Shortcodes Plugin - Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the su_carousel shortcode in all versions up to, and including, 7.4.8. This is due to insufficient input sanitization and output escaping in the 'su_slide_link' attachment meta field. This makes it possible for authenticated attackers, with author level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Shortcodes Ultimate <= 7.4.8 - authenticated (Contributor+) Stored Cross-Site Scripting via 'su_carousel' Shortcode", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5bfc718a-408b-4389-b03b-bfe152ed7b28?source=cve"}, {"url": "https://research.cleantalk.org/cve-2026-0738/"}, {"url": "https://plugins.trac.wordpress.org/changeset?old_path=shortcodes-ultimate/tags/7.4.8/includes/shortcodes/carousel.php&new_path=shortcodes-ultimate/tags/7.4.9/includes/shortcodes/carousel.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Dmitrii Ignatyev"}], "timeline": [{"time": "2026-01-06T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2026-01-08T16:42:19.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-03T19:34:03.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-06T15:48:57.663279Z", "id": "CVE-2026-0738", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T15:50:13.205Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0738", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-06T15:48:57.663279Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T15:49:30.089Z"}}], "cna": {"title": "Shortcodes Ultimate <= 7.4.8 - authenticated (Contributor+) Stored Cross-Site Scripting via 'su_carousel' Shortcode", "credits": [{"lang": "en", "type": "finder", "value": "Dmitrii Ignatyev"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "gn_themes", "product": "WP Shortcodes Plugin \u2014 Shortcodes Ultimate", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "7.4.8"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-06T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2026-01-08T16:42:19.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-04-03T19:34:03.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5bfc718a-408b-4389-b03b-bfe152ed7b28?source=cve"}, {"url": "https://research.cleantalk.org/cve-2026-0738/"}, {"url": "https://plugins.trac.wordpress.org/changeset?old_path=shortcodes-ultimate/tags/7.4.8/includes/shortcodes/carousel.php&new_path=shortcodes-ultimate/tags/7.4.9/includes/shortcodes/carousel.php"}], "descriptions": [{"lang": "en", "value": "The WP Shortcodes Plugin - Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the su_carousel shortcode in all versions up to, and including, 7.4.8. This is due to insufficient input sanitization and output escaping in the 'su_slide_link' attachment meta field. This makes it possible for authenticated attackers, with author level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-04T07:41:58.385Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0738", "state": "PUBLISHED", "dateUpdated": "2026-04-06T15:50:13.205Z", "dateReserved": "2026-01-08T16:22:58.964Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-04T07:41:58.385Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WP Shortcodes Plugin - Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the su_carousel shortcode in all versions up to, and including, 7.4.8. This is due to insufficient input sanitization and output escaping in the 'su_slide_link' attachment meta field. This makes it possible for authenticated attackers, with author level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2026-0738", "lastModified": "2026-04-07T13:20:55.200", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-04T08:16:06.210", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?old_path=shortcodes-ultimate/tags/7.4.8/includes/shortcodes/carousel.php&new_path=shortcodes-ultimate/tags/7.4.9/includes/shortcodes/carousel.php"}, {"source": "security@wordfence.com", "url": "https://research.cleantalk.org/cve-2026-0738/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5bfc718a-408b-4389-b03b-bfe152ed7b28?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,7.4.8]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "WP Shortcodes Plugin \u2014 Shortcodes Ultimate", "source": "cna", "vendor": "gn_themes"}, "product": "wp_shortcodes_plugin_\u2014_shortcodes_ultimate", "vendor": "gn_themes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-04T11:23:12.083668+00:00", "value": {"mitigation_remediation": ["Update Shortcodes Ultimate to version 7.4.9 or later", "If update is not possible, remove or disable the carousel shortcode from all content", "Audit existing carousel entries for injected scripts and remove any malicious content", "Restrict author and contributor roles from editing carousel metadata until a patch is applied"], "summary": {"action": "Apply patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "WordPress sites running the Shortcodes Ultimate plugin by gn_themes, version 7.4.8 and older.", "description_and_impact": "Shortcodes Ultimate does not sanitize or escape the \"su_slide_link\" attachment metadata used by its carousel shortcode. An authenticated user with author or higher privileges can insert arbitrary JavaScript into this field. When a page containing the carousel loads, the injected script executes in the browsers of any visitor, enabling credential theft, defacement, or other malicious actions.", "risk_and_exploitability": "The CVSS score of 6.4 indicates medium severity. EPSS information is absent, so the likelihood of exploitation is uncertain. The vulnerability is not listed in CISA\u2019s KEV. Exploitation requires authenticated access at author level or higher; the attack vector is local (user must be logged in). Once exploited, the impact is non\u2011disruptive but can compromise data and trust for all site visitors."}}}}, "created": "2026-04-06T20:27:40.606113+00:00", "updated": "2026-04-06T22:20:59.672626+00:00", "vendors": ["gn_themes", "gn_themes$PRODUCT$wp_shortcodes_plugin_\u2014_shortcodes_ultimate", "wordpress", "wordpress$PRODUCT$wordpress"]}