This page lists publicly disclosed CVE vulnerabilities affecting getshortcodes shortcodes_ultimate (linked via NVD CPE). Each row includes severity scores, summaries, and publication dates to help identify and analyze security issues.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2022-41136 | Cross-Site Request Forgery (CSRF) vulnerability leading to Stored Cross-Site Scripting (XSS) in Vladimir Anokhin's Shortcodes Ultimate plugin <= 5.12.0 on WordPress. | [email protected] | 6.1 | 0.29% | 2022-11-08 | 2026-06-17 |
| CVE-2022-38086 | Cross-Site Request Forgery (CSRF) vulnerability in Shortcodes Ultimate plugin <= 5.12.0 at WordPress leading to plugin preset settings change. | [email protected] | 5.4 | 0.29% | 2022-10-11 | 2026-06-17 |
| CVE-2021-24525 | The Shortcodes Ultimate WordPress plugin before 5.10.2 allows users with Contributor roles to perform stored XSS via shortcode attributes. Note: the plugin is inconsistent in its handling of shortcode attributes; some do escape, most don't, and there are even some attributes that are insecure by design (like [su_button]'s onclick attribute). | [email protected] | 5.4 | 0.60% | 2021-09-20 | 2026-06-16 |
| CVE-2017-18580 | The shortcodes-ultimate plugin before 5.0.1 for WordPress has remote code execution via a filter in a meta, post, or user shortcode. | [email protected] | 9.8 | 12.09% | 2019-08-22 | 2026-06-16 |
| CVE-2017-2245 | Directory traversal vulnerability in Shortcodes Ultimate prior to version 4.10.0 allows remote attackers to read arbitrary files via unspecified vectors. | [email protected] | 5.0 | 2.57% | 2017-07-07 | 2026-06-16 |