CVE-2023-6226
published 2023-11-28CVE-2023-6226: The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including…
PriorityP423medium4.3CVSS 3.1
AVNACLPRLUINSUCLINAN
EPSS
0.53%
40.7th percentile
The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.13.3 via the su_meta shortcode due to missing validation on the user controlled keys 'key' and 'post_id'. This makes it possible for authenticated attackers, with contributor-level access and above, to retrieve arbitrary post meta values which may contain sensitive information when combined with another plugin.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| getshortcodes | shortcodes_ultimate | < 7.0.0 | 7.0.0 |
| gn_themes | wp_shortcodes_plugin_shortcodes_ultimate | <= 5.13.3 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
WP Shortcodes Plugin up to 5.13.3 on WordPress resource injection
vuldb·2026-04-11·CVSS 4.3
CVE-2023-6226 [MEDIUM] WP Shortcodes Plugin up to 5.13.3 on WordPress resource injection
A vulnerability labeled as problematic has been found in WP Shortcodes Plugin up to 5.13.3 on WordPress. Affected by this issue is some unknown functionality. Executing a manipulation can lead to improper control of resource identifiers.
The identification of this vulnerability is CVE-2023-6226. The attack may be launched remotely. There is no exploit available.
GHSA
GHSA-g352-7rff-pgcm: The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and inclu
ghsa_unreviewed·2023-11-28
CVE-2023-6226 [MEDIUM] CWE-639 GHSA-g352-7rff-pgcm: The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and inclu
The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.13.3 via the su_meta shortcode due to missing validation on the user controlled keys 'key' and 'post_id'. This makes it possible for authenticated attackers, with contributor-level access and above, to retrieve arbitrary post meta values which may contain sensitive information when combined with another plugin.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://plugins.trac.wordpress.org/browser/shortcodes-ultimate/trunk/includes/shortcodes/meta.phphttps://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3000576%40shortcodes-ultimate&new=3000576%40shortcodes-ultimate&sfp_email=&sfph_mail=https://www.wordfence.com/threat-intel/vulnerabilities/id/4d936a48-b300-4a41-8d28-ba34cb3c5cb7?source=cvehttps://plugins.trac.wordpress.org/browser/shortcodes-ultimate/trunk/includes/shortcodes/meta.phphttps://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3000576%40shortcodes-ultimate&new=3000576%40shortcodes-ultimate&sfp_email=&sfph_mail=https://www.wordfence.com/threat-intel/vulnerabilities/id/4d936a48-b300-4a41-8d28-ba34cb3c5cb7?source=cve
2023-11-28
Published