Skip to main content

Surbma Infusionsoft Shortcode

1 CVEs product

Monthly

CVE-2026-11597 MEDIUM This Month

Stored Cross-Site Scripting in the Surbma | Infusionsoft Shortcode WordPress plugin (versions ≤ 2.0.1) allows authenticated contributors to inject persistent malicious scripts that execute in any visitor's browser. The flaw originates in the surbma_infusionsoft_shortcode_shortcode() function, where the 'account' and 'id' shortcode attributes are concatenated without sanitization directly into a <script> tag's src attribute - a particularly dangerous injection point because it bypasses many output-escaping checks that target HTML attribute or element contexts. No public exploit code has been identified at time of analysis, and no CISA KEV listing is present.

WordPress XSS Surbma Infusionsoft Shortcode
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Surbma | Infusionsoft Shortcode WordPress plugin (versions ≤ 2.0.1) allows authenticated contributors to inject persistent malicious scripts that execute in any visitor's browser. The flaw originates in the surbma_infusionsoft_shortcode_shortcode() function, where the 'account' and 'id' shortcode attributes are concatenated without sanitization directly into a <script> tag's src attribute - a particularly dangerous injection point because it bypasses many output-escaping checks that target HTML attribute or element contexts. No public exploit code has been identified at time of analysis, and no CISA KEV listing is present.

WordPress XSS Surbma Infusionsoft Shortcode
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy