Skip to main content

Shortcodes Ultimate CVE-2023-6226

MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2023-11-28 security@wordfence.com
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Patch released
Apr 08, 2026 - 18:22 nvd
Patch available
PoC Detected
Apr 08, 2026 - 18:18 vuln.today
Public exploit code
CVE Published
Nov 28, 2023 - 05:15 nvd
MEDIUM 4.3

DescriptionCVE.org

The WP Shortcodes Plugin - Shortcodes Ultimate plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.13.3 via the su_meta shortcode due to missing validation on the user controlled keys 'key' and 'post_id'. This makes it possible for authenticated attackers, with contributor-level access and above, to retrieve arbitrary post meta values which may contain sensitive information when combined with another plugin.

AnalysisAI

The WP Shortcodes Plugin - Shortcodes Ultimate plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.13.3 via the su_meta shortcode due to. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Technical ContextAI

This vulnerability is classified under CWE-639. The WP Shortcodes Plugin - Shortcodes Ultimate plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.13.3 via the su_meta shortcode due to missing validation on the user controlled keys 'key' and 'post_id'. This makes it possible for authenticated attackers, with contributor-level access and above, to retrieve arbitrary post meta values which may contain sensitive information when combined with another plugin. Affected products include: Getshortcodes Shortcodes Ultimate.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2023-0911 MEDIUM POC
6.5 Mar 20

The WordPress Shortcodes Plugin - Shortcodes Ultimate WordPress plugin before 5.12.8 does not validate the user meta to

CVE-2023-0890 MEDIUM POC
6.5 Mar 20

The WordPress Shortcodes Plugin - Shortcodes Ultimate WordPress plugin before 5.12.8 does not ensure that posts to be di

CVE-2023-6225 MEDIUM POC
6.4 Nov 28

The WP Shortcodes Plugin - Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the

CVE-2024-3188 MEDIUM POC
6.3 Apr 26

The WP Shortcodes Plugin - Shortcodes Ultimate WordPress plugin before 7.1.0 does not validate and escape some of its sh

CVE-2024-3548 MEDIUM POC
6.1 May 15

The WP Shortcodes Plugin - Shortcodes Ultimate WordPress plugin before 7.1.2 does not sanitise and escape a parameter be

CVE-2024-6766 MEDIUM POC
5.4 Aug 06

The shortcodes-ultimate-pro WordPress plugin before 7.2.1 does not validate and escape some of its shortcode attributes

CVE-2024-2583 MEDIUM POC
5.4 Apr 13

The WP Shortcodes Plugin - Shortcodes Ultimate WordPress plugin before 7.0.5 does not properly escape some of its shortc

CVE-2021-24525 MEDIUM POC
5.4 Sep 20

The Shortcodes Ultimate WordPress plugin before 5.10.2 allows users with Contributor roles to perform stored XSS via sho

CVE-2022-41136 HIGH
8.8 Nov 08

Cross-Site Request Forgery (CSRF) vulnerability leading to Stored Cross-Site Scripting (XSS) in Vladimir Anokhin's Short

CVE-2024-4217 MEDIUM POC
4.7 Jul 13

The shortcodes-ultimate-pro WordPress plugin before 7.1.5 does not properly escape some of its shortcodes' settings, mak

CVE-2023-23800 HIGH
7.1 Nov 13

Server-Side Request Forgery (SSRF) vulnerability in Vova Anokhin WP Shortcodes Plugin - Shortcodes Ultimate.12.6. Rated

CVE-2024-4553 MEDIUM
6.4 May 21

The WP Shortcodes Plugin - Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the

Share

CVE-2023-6226 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy