CVE-2023-5566 in Simple Shortcodes Plugininfo

Summary

by MITRE • 10/30/2023

The Simple Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 1.0.20 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 04/11/2026

The Simple Shortcodes plugin for WordPress represents a common class of vulnerabilities that exploits the fundamental trust placed in user-generated content within content management systems. This particular vulnerability affects versions up to and including 1.0.20, indicating a widespread exposure across multiple iterations of the plugin. The flaw resides in the plugin's failure to properly sanitize and escape user-supplied input parameters, creating a persistent vector for malicious code injection that can be stored within the WordPress database and executed repeatedly. The vulnerability specifically targets shortcode attributes where user input is processed without adequate validation mechanisms, allowing attackers to manipulate the plugin's behavior through crafted input that bypasses standard security controls.

The technical implementation of this stored cross-site scripting vulnerability stems from inadequate input sanitization practices within the plugin's shortcode processing functions. When administrators or users with contributor-level permissions create or modify content containing shortcodes, the plugin fails to properly escape or validate attribute values before storing them in the database. This creates a persistent threat where malicious scripts can be embedded in legitimate content and executed whenever any user accesses pages containing the compromised shortcodes. The vulnerability's classification aligns with CWE-79, which specifically addresses Cross-Site Scripting flaws, and demonstrates how insufficient output escaping creates opportunities for attackers to inject malicious payloads that execute in the context of other users' browsers.

From an operational perspective, this vulnerability presents significant risk to WordPress installations that rely on the Simple Shortcodes plugin, particularly those with multiple user roles or contributor-level access. The requirement for authenticated access at the contributor level or above provides some mitigation against unauthenticated exploitation, but still represents a critical threat vector since contributors typically have substantial write access to content. Attackers can leverage this vulnerability to execute scripts that may steal session cookies, redirect users to malicious sites, perform actions on behalf of victims, or harvest sensitive information from authenticated sessions. The stored nature of the vulnerability means that once injected, malicious code persists until manually removed, creating a long-term threat that can affect multiple users over extended periods.

The impact extends beyond immediate script execution to encompass broader security implications within WordPress environments. This vulnerability creates opportunities for attackers to establish persistent footholds within systems, potentially enabling further exploitation through privilege escalation or lateral movement. The ATT&CK framework classification would include techniques related to credential access and execution through web applications, as the stored XSS could be used to capture authentication tokens or perform unauthorized actions. Organizations should implement immediate remediation measures including plugin updates to versions that address the vulnerability, along with comprehensive monitoring of user activity and content modifications. Additionally, implementing proper input validation and output escaping practices in all custom plugin development, as recommended by the OWASP Top Ten, would prevent similar vulnerabilities from emerging in future implementations.

Responsible

Wordfence

Reservation

10/13/2023

Disclosure

10/30/2023

Moderation

accepted

CPE

ready

EPSS

0.00640

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!