CVE-2023-6969 in User Shortcodes Plus Plugin
Summary
by MITRE • 03/13/2024
The User Shortcodes Plus plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.2 via the user_meta shortcode due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with contributor-level access and above, to retrieve potentially sensitive user meta.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 04/12/2026
The vulnerability identified as CVE-2023-6969 affects the User Shortcodes Plus plugin for WordPress, representing a critical security flaw that compromises user data integrity. This issue exists in all versions up to and including 2.0.2, specifically within the user_meta shortcode functionality. The vulnerability stems from inadequate input validation mechanisms that fail to properly sanitize user-controlled parameters, creating an exploitable path for unauthorized data access.
The technical flaw manifests as an Insecure Direct Object Reference vulnerability classified under CWE-639, where the plugin fails to validate the user-controlled key parameter passed to the user_meta shortcode. This allows authenticated users with contributor-level privileges or higher to manipulate the shortcode parameters and access meta data belonging to other users within the WordPress environment. The vulnerability essentially bypasses normal access control mechanisms that should restrict user meta data retrieval to only the authenticated user's own information.
Attackers exploiting this vulnerability can leverage their contributor-level access to enumerate sensitive user meta information that may include personal details, authentication tokens, or other potentially compromising data. The operational impact extends beyond simple information disclosure, as this vulnerability enables lateral movement within the WordPress ecosystem and can facilitate more sophisticated attacks. The attacker's ability to access other users' meta data creates opportunities for credential harvesting, social engineering, or further privilege escalation attempts within the compromised WordPress installation.
The vulnerability affects WordPress environments where the User Shortcodes Plus plugin is installed and actively used, particularly in multi-user environments where contributors and higher-level users have access to the site's functionality. This makes it especially dangerous in collaborative publishing environments or membership sites where multiple users with varying permission levels interact with the platform. The exploitation requires minimal privileges, making it accessible to users who should not have access to other users' data, thereby violating fundamental security principles of least privilege and data isolation.
Organizations should immediately update to the latest version of the User Shortcodes Plus plugin where this vulnerability has been addressed through proper input validation and access control enforcement. System administrators should also implement monitoring for unusual shortcode usage patterns and conduct regular security audits of installed plugins. The mitigation strategy should include immediate patching, followed by a comprehensive review of user permissions and access controls within WordPress installations. Additionally, implementing web application firewalls and security monitoring solutions can help detect and prevent exploitation attempts of similar vulnerabilities in the future, aligning with defensive measures recommended in the ATT&CK framework for credential access and privilege escalation techniques.