CVE-2023-5565 in Shortcode Menu Plugin
Summary
by MITRE • 10/30/2023
The Shortcode Menu plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'shortmenu' shortcode in versions up to, and including, 3.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 04/11/2026
The vulnerability identified as CVE-2023-5565 affects the Shortcode Menu plugin for WordPress, specifically targeting versions up to and including 3.2. This represents a critical security flaw that undermines the integrity of WordPress installations by enabling malicious actors to exploit stored cross-site scripting vulnerabilities. The issue stems from inadequate input sanitization and output escaping mechanisms within the plugin's shortcode processing functionality, creating a persistent threat vector that can compromise user sessions and execute unauthorized code.
The technical flaw manifests through the 'shortmenu' shortcode implementation where user-supplied attributes fail to undergo proper sanitization before being processed and rendered. This vulnerability operates at the intersection of CWE-79 - Improper Neutralization of Input During Web Page Generation, which governs cross-site scripting vulnerabilities, and CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page, which specifically addresses the dangers of unescaped user input in web contexts. The vulnerability is particularly concerning because it requires only contributor-level permissions or higher to exploit, making it accessible to users who already possess significant privileges within the WordPress environment.
Attackers can leverage this vulnerability by injecting malicious scripts through the shortcode attributes, which then get stored within the WordPress database and executed whenever legitimate users access pages containing the compromised shortcode. This stored nature of the vulnerability means that the malicious code persists until manually removed, creating a long-term threat vector that can affect multiple users over time. The operational impact extends beyond simple script execution, as it can potentially enable session hijacking, data exfiltration, and further escalation of privileges within the compromised WordPress installation.
The vulnerability presents significant risks to WordPress site administrators and content creators who may unknowingly include malicious content through the shortcode menu functionality. Attackers with contributor access can craft malicious shortcodes that appear legitimate but contain embedded JavaScript payloads designed to steal cookies, redirect users to malicious sites, or perform other harmful activities. This threat is particularly dangerous in multi-user environments where contributors may not be fully trusted or properly vetted, creating an attack surface that can be exploited to compromise entire WordPress installations.
Mitigation strategies for CVE-2023-5565 should prioritize immediate plugin updates to versions that address the sanitization and escaping deficiencies. System administrators should implement strict content review processes for all shortcode usage, particularly when contributor-level users have the ability to modify content. Additionally, monitoring for unusual shortcode usage patterns and implementing web application firewalls can provide additional layers of protection. The ATT&CK framework's T1548.005 technique for 'Abuse Elevation Control Mechanism' is relevant here as the vulnerability allows attackers to leverage existing privileges to execute malicious code. Organizations should also consider implementing principle of least privilege access controls, restricting contributor-level permissions where possible, and conducting regular security audits of installed plugins to identify and remediate similar vulnerabilities.