📄 Description (English)
The WP Shortcodes Plugin - Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the su_carousel shortcode in all versions up to, and including, 7.4.8. This is due to insufficient input sanitization and output escaping in the 'su_slide_link' attachment meta field. This makes it possible for authenticated attackers, with author level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
🤖 AI Executive Summary
The WP Shortcodes Plugin (Shortcodes Ultimate) versions up to 7.4.8 contain a Stored Cross-Site Scripting (XSS) vulnerability in the su_carousel shortcode that allows authenticated attackers with author-level access to inject malicious scripts. While requiring authentication, this vulnerability poses a significant risk to WordPress-based government and corporate websites in Saudi Arabia where multiple content creators have access. The vulnerability has a CVSS score of 6.4 (medium) and currently has no available patch.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 15, 2026 14:56
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability primarily affects Saudi government agencies, educational institutions, and private sector organizations using WordPress with the Shortcodes Ultimate plugin. High-risk sectors include: (1) Government entities under NCA oversight using WordPress for public portals; (2) Banking and financial institutions (SAMA-regulated) using WordPress for customer-facing content; (3) Healthcare organizations managing patient information portals; (4) Telecommunications companies (STC, Mobily) with WordPress-based customer platforms; (5) Energy sector (ARAMCO-related entities) with internal WordPress deployments. The risk is elevated in organizations with multiple content authors where insider threats or compromised author accounts could inject malicious scripts affecting thousands of users.
🏢 Affected Saudi Sectors
Government and Public Administration
Banking and Financial Services
Healthcare and Medical Services
Telecommunications
Energy and Utilities
Education
E-commerce and Retail
Media and Publishing
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
6.8
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Audit all WordPress installations using Shortcodes Ultimate plugin versions ≤7.4.8 across your organization
2. Restrict author-level access to only trusted personnel; review and revoke unnecessary author/editor permissions
3. Disable the su_carousel shortcode if not actively used via plugin settings or code modification
COMPENSATING CONTROLS (until patch available):
4. Implement Web Application Firewall (WAF) rules to detect and block XSS payloads in carousel shortcode parameters
5. Deploy Content Security Policy (CSP) headers with strict script-src directives to prevent inline script execution
6. Enable WordPress security plugins (Wordfence, Sucuri) with real-time malware scanning
7. Implement input validation at the database level for attachment meta fields
DETECTION RULES:
8. Monitor WordPress logs for POST requests containing 'su_carousel' with suspicious characters (script tags, event handlers)
9. Search existing pages/posts for 'su_carousel' shortcodes with encoded or obfuscated script content
10. Set up alerts for modifications to attachment meta fields by author-level users
PATCHING STRATEGY:
11. Contact plugin vendor for security update timeline; consider alternative carousel plugins if no patch timeline provided
12. Prepare rollback plan before applying any updates
13. Test updates in staging environment first
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تدقيق جميع تثبيتات WordPress التي تستخدم مكون Shortcodes Ultimate بإصدارات ≤7.4.8 عبر مؤسستك
2. تقييد الوصول على مستوى المؤلف للموظفين الموثوقين فقط؛ مراجعة وإلغاء أذونات المؤلف/المحرر غير الضرورية
3. تعطيل اختصار su_carousel إذا لم يكن قيد الاستخدام النشط عبر إعدادات المكون أو تعديل الكود
الضوابط التعويضية (حتى توفر الرقعة):
4. تنفيذ قواعد جدار حماية تطبيقات الويب (WAF) للكشف عن حمولات XSS وحجبها في معاملات اختصار الكاروسيل
5. نشر رؤوس سياسة أمان المحتوى (CSP) مع توجيهات script-src صارمة لمنع تنفيذ البرامج النصية المضمنة
6. تفعيل مكونات أمان WordPress (Wordfence, Sucuri) مع المسح الضار في الوقت الفعلي
7. تنفيذ التحقق من صحة الإدخال على مستوى قاعدة البيانات لحقول بيانات التعريف للمرفقات
قواعد الكشف:
8. مراقبة سجلات WordPress لطلبات POST تحتوي على 'su_carousel' بأحرف مريبة (علامات البرامج النصية، معالجات الأحداث)
9. البحث في الصفحات/المنشورات الموجودة عن اختصارات 'su_carousel' بمحتوى برامج نصية مشفرة أو غامضة
10. إعداد تنبيهات لتعديلات حقول بيانات التعريف للمرفقات من قبل مستخدمي مستوى المؤلف
استراتيجية الترقيع:
11. الاتصال بمورد المكون لجدول زمني لتحديث الأمان؛ النظر في مكونات كاروسيل بديلة إذا لم يتم توفير جدول زمني للرقعة
12. تحضير خطة التراجع قبل تطبيق أي تحديثات
13. اختبار التحديثات في بيئة التدريج أولاً
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
A.14.2.1 - Secure development policy (input validation and output encoding requirements)
A.14.2.5 - Secure development environment controls
A.12.6.1 - Management of technical vulnerabilities
A.12.2.1 - Monitoring of system use
🔵 SAMA CSF
ID.SC-7 - Software, firmware, and information integrity checks
PR.DS-6 - Integrity checking mechanisms
DE.CM-1 - The network is monitored to detect potential cybersecurity events
RS.MI-2 - Incidents are mitigated
🟡 ISO 27001:2022
A.14.2.1 - Secure development policy
A.14.2.5 - Secure development environment
A.12.6.1 - Management of technical vulnerabilities
A.14.3.1 - Separation of development, test and production environments
🟣 PCI DSS v4.0.1
6.5.7 - Cross-site scripting (XSS)
6.2 - Ensure security patches are installed
11.2 - Run automated vulnerability scans
🔗 References & Sources 3
🔗
🔗
🔗
https://plugins.trac.wordpress.org/changeset?old_path=shortcodes-ultimate/tags/7.4.8/in...
security@wordfence.com
https://research.cleantalk.org/cve-2026-0738/
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/5bfc718a-408b-4389-b03b-bfe15...
security@wordfence.com