Vulnerabilities ›

CVE-2026-1257

High

CWE-98 — Weakness Type

                    Published: Jan 24, 2026                      ·  Modified: Feb 28, 2026                      ·  Source: NVD                

CVSS v3

7.5

🔗 NVD Official

📄 Description (English)

The Administrative Shortcodes plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 0.3.4 via the 'slug' attribute of the 'get_template' shortcode. This is due to insufficient path validation on user-supplied input passed to the get_template_part() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other "safe" file types can be uploaded and included.

🤖 AI Executive Summary

The Administrative Shortcodes WordPress plugin versions up to 0.3.4 contain a Local File Inclusion vulnerability in the 'get_template' shortcode that allows authenticated contributors to include and execute arbitrary files. Attackers can leverage this to execute PHP code, bypass access controls, and access sensitive data on affected servers.

📄 Description (Arabic)

تحتوي إضافة Administrative Shortcodes لـ WordPress على ثغرة في التحقق من صحة المسارات في اختصار get_template تسمح للمهاجمين المصرحين بمستوى المساهم بتضمين وتنفيذ ملفات عشوائية. يمكن استخدام هذه الثغرة لتنفيذ أكواد PHP وتجاوز عناصر التحكم في الوصول والوصول إلى البيانات الحساسة.

🤖 ملخص تنفيذي (AI)

🤖 AI Intelligence Analysis Analyzed: May 3, 2026 10:02

🇸🇦 Saudi Arabia Impact Assessment

Saudi Relevance: high

🏢 Affected Saudi Sectors

government banking telecom healthcare

🎯 MITRE ATT&CK Techniques

T1190 T1105 T1059.007

⚖️ Saudi Risk Score (AI)

7.0

/ 10.0

🔧 Remediation Steps (English)

Update the Administrative Shortcodes plugin to version 0.3.5 or later immediately. If immediate patching is not possible, restrict Contributor-level access to trusted users only, disable the plugin, or implement Web Application Firewall rules to block malicious shortcode usage patterns.

🔧 خطوات المعالجة (العربية)

قم بتحديث إضافة Administrative Shortcodes إلى الإصدار 0.3.5 أو أحدث فوراً. إذا لم يكن التحديث ممكناً، قيّد وصول مستوى المساهم للمستخدمين الموثوقين فقط، أو عطّل الإضافة، أو طبّق قواعد جدار الحماية لتطبيقات الويب لحظر أنماط الاختصارات الضارة.

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

A.12.6.1 A.14.2.1

🔵 SAMA CSF

CC6.1 CC6.2 CC7.2

🟡 ISO 27001:2022

A.12.6.1 A.14.2.1 A.14.2.5

🔗 References & Sources 4

🔗

https://plugins.trac.wordpress.org/browser/administrative-shortcodes/tags/0.3.4/adminis...

security@wordfence.com

🔗

https://plugins.trac.wordpress.org/browser/administrative-shortcodes/trunk/administrati...

security@wordfence.com

🔗

https://wordpress.org/plugins/administrative-shortcodes

security@wordfence.com

🔗

https://www.wordfence.com/threat-intel/vulnerabilities/id/119fe499-88c4-413f-a44a-2b3ac...

security@wordfence.com

📊 CVSS Score

7.5

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack VectorN — None / Network

Attack ComplexityH — High

Privileges RequiredL — Low / Local

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityH — High

IntegrityH — High

AvailabilityH — High

📋 Quick Facts

Severity High

CVSS Score7.5

CWECWE-98

EPSS0.04%

Exploit No

Patch ✓ Yes

Published 2026-01-24

Source Feed nvd

🇸🇦 Saudi Risk Score

7.0

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

CWE-98

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2026-1257

💬 Comments

Introduce Yourself

Sign In Required