Atomic Edge Proof of Concept automated generator using AI diff analysis
Published : March 18, 2026

CVE-2026-27074: Shortcoder — Create Shortcodes for Anything <= 6.5.1 – Authenticated (Contributor+) Stored Cross-Site Scripting (shortcoder)

CVE ID CVE-2026-27074
Plugin shortcoder
Severity Medium (CVSS 6.4)
CWE 79
Vulnerable Version 6.5.1
Patched Version 6.5.2
Disclosed January 8, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-27074:
The Shortcoder WordPress plugin contains an authenticated stored cross-site scripting (XSS) vulnerability. The plugin’s custom field tag replacement logic fails to sanitize user-controlled input before output, allowing contributor-level and above users to inject arbitrary JavaScript. This vulnerability has a CVSS score of 6.4, indicating medium severity.

The root cause is insufficient input sanitization in the `shortcoder.php` file. The vulnerable code resides in the function that processes custom field tags within shortcode content. The plugin extracts values for custom fields using the `$$custom_field:…$$` placeholder pattern. Prior to version 6.5.2, the plugin directly replaced the placeholder with the user-supplied value without applying any output escaping. The diff shows the vulnerable code path is in `shortcoder.php` around line 336, where the variable `$value` is assigned from `$cf_default_val` or a similar source and then used in a `str_replace` operation.

An attacker exploits this by creating or editing a post with a Shortcoder block that uses a custom field. The attacker sets the default value for that custom field to a malicious JavaScript payload. When the post is saved and subsequently viewed by any user, the plugin processes the shortcode, replaces the `$$custom_field:…$$` tag with the unsanitized payload, and renders it directly into the page HTML, causing script execution. The attack vector requires contributor-level authentication to access the post editor.

The patch adds a single line of code: `$value = wp_kses_post( $value );` on line 338 of `shortcoder.php`. This function applies the KSES HTML filtering rules to the `$value` variable before it is inserted into the content via `str_replace`. The `wp_kses_post` function strips or encodes dangerous HTML tags and attributes, neutralizing XSS payloads. The fix ensures that any user-controlled data used in custom field replacements is safe for output in an HTML context.

Successful exploitation leads to stored XSS. An attacker with contributor privileges can inject malicious scripts that execute in the browser of any user viewing the compromised post or page. This can result in session hijacking, account takeover, defacement, or redirection to malicious sites. The vulnerability affects all plugin versions up to and including 6.5.1.

Differential between vulnerable and patched code

Code Diff 
--- a/shortcoder/shortcoder.php
+++ b/shortcoder/shortcoder.php
@@ -4,13 +4,13 @@
 Plugin URI: https://www.aakashweb.com/wordpress-plugins/shortcoder/
 Description: Shortcoder plugin allows to create a custom shortcodes for HTML, JavaScript and other snippets. Now the shortcodes can be used in posts/pages and the snippet will be replaced in place.
 Author: Aakash Chakravarthy
-Version: 6.5.1
+Version: 6.5.2
 Author URI: https://www.aakashweb.com/
 Text Domain: shortcoder
 Domain Path: /languages
 */

-define( 'SC_VERSION', '6.5.1' );
+define( 'SC_VERSION', '6.5.2' );
 define( 'SC_PATH', plugin_dir_path( __FILE__ ) ); // All have trailing slash
 define( 'SC_URL', plugin_dir_url( __FILE__ ) );
 define( 'SC_ADMIN_URL', trailingslashit( plugin_dir_url( __FILE__ ) . 'admin' ) );
@@ -336,6 +336,8 @@
                 $value = $cf_default_val;
             }

+            $value = wp_kses_post( $value );
+
             $full_tag = '$$custom_field:' . $cf_tag . '$$';
             $content = str_replace( $full_tag, $value, $content );

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

 
PHP PoC 
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-27074 - Shortcoder — Create Shortcodes for Anything <= 6.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
<?php

$target_url = 'http://target-site.local/wp-admin/admin-ajax.php';
$username = 'contributor_user';
$password = 'contributor_pass';

// Payload to inject into a Shortcoder custom field default value.
// This will execute an alert when the shortcode is rendered.
$payload = '"><script>alert(document.domain)</script>';

// Step 1: Authenticate to WordPress and obtain a nonce for the Shortcoder editor.
// This PoC assumes the attacker has already created a shortcode named 'test_xss'
// with a custom field tag $$custom_field:test$$. The exploit requires editing that shortcode.
// The actual AJAX action and parameters for editing a shortcode are plugin-specific
// and not provided in the diff. Therefore, a complete, reliable PoC cannot be constructed
// without reverse-engineering the plugin's admin AJAX handlers.

// Due to insufficient public details about the exact administrative endpoint and
// parameters required to set a custom field's default value, a safe and accurate
// PoC script cannot be produced. The vulnerability is in output rendering, but
// the injection vector requires manipulating shortcode definitions via the plugin's
// admin interface, the mechanics of which are not disclosed.

// Returning null as per instructions when a meaningful PoC cannot be created.

?>

Frequently Asked Questions

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations

Trusted by Developers
Blac&kMcDonaldCovenant House TorontoAlzheimer Society CanadaUniversity of TorontoHarvard Medical School