Does Shortcode have any unpatched vulnerabilities?

Yes — Shortcode currently has 1 unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is Shortcode compatible with WordPress 4.2.39?

According to WordPress.org data, Shortcode 0.8.1 has been tested up to WordPress 4.2.39. Check the plugin's changelog for the latest compatibility information.

How often is Shortcode updated?

Shortcode was last updated on Apr 17, 2016. Frequent updates are generally a positive security signal.

What is Shortcode's security score?

Shortcode has a WP-Safety security score of 63/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Shortcode Security & Risk Analysis

wordpress.org/plugins/shortcode

Shortcode is a plugin that adds several useful shortcodes that you can use in your blog posts and pages.

600 active installs v0.8.1 PHP + WP 2.5+ Updated Apr 17, 2016

shortcodestatistics

C · Use Caution

CVEs total1

Unpatched1

Last CVESep 22, 2025

Plugin page Download

Safety Verdict

Is Shortcode Safe to Use in 2026?

Use With Caution

Score 63/100

Shortcode has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

1 known CVE 1 unpatched Last CVE: Sep 22, 2025Updated 9yr ago

Risk Assessment

The "shortcode" plugin version 0.8.1 exhibits a mixed security posture. On the positive side, the static analysis reveals no dangerous functions, file operations, or external HTTP requests. Notably, all identified output is properly escaped, and the plugin does not bundle any libraries, which can sometimes be a source of vulnerabilities. The attack surface, while comprising 32 shortcodes, is reported as having no unprotected entry points, which is a good sign for direct code execution risks from the outside.

Key Concerns

Unpatched medium severity CVE
Raw SQL queries without prepared statements
No nonce checks on entry points
No capability checks on entry points

Vulnerabilities

Shortcode Security Vulnerabilities

CVEs by Year

1 CVE in 2025 · unpatched

2025

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

CVE-2025-58022medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Shortcode <= 0.8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Sep 22, 2025Unpatched

Code Analysis

Analyzed Mar 16, 2026

Shortcode Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

3 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

0% prepared22 total queries

Output Escaping

100% escaped3 total outputs

Attack Surface

Shortcode Attack Surface

Entry Points32

Unprotected0

Shortcodes 32

[postcount] shortcode.php:291

[postcountbr] shortcode.php:292

[nameoflongestpost] shortcode.php:293

[longestpostlength] shortcode.php:294

[allpostslength] shortcode.php:295

[pagecount] shortcode.php:296

[pagecountbr] shortcode.php:297

[catcount] shortcode.php:298

[catcountbr] shortcode.php:299

[catperpostavg] shortcode.php:300

[tagcount] shortcode.php:301

[tagcountbr] shortcode.php:302

[tagperpostavg] shortcode.php:303

[commentcount] shortcode.php:304

[ageindays] shortcode.php:305

[ageinmonths] shortcode.php:306

[ageinyears] shortcode.php:307

[postsperdayavg] shortcode.php:308

[charsperpostavg] shortcode.php:309

[futpostcount] shortcode.php:310

[draftpostcount] shortcode.php:311

[photosingallery] shortcode.php:312

[totalwords] shortcode.php:313

[totalwordsbr] shortcode.php:314

[ageindayscomma] shortcode.php:315

[shortestpostlength] shortcode.php:316

[nameofshortestpost] shortcode.php:317

[nggpictures] shortcode.php:318

[nggalleries] shortcode.php:319

[nggalbums] shortcode.php:320

[wparchive] shortcode.php:321

[wpcategories] shortcode.php:322

Maintenance & Trust

Shortcode Maintenance & Trust

Maintenance Signals

WordPress version tested4.2.39

Last updatedApr 17, 2016

PHP min version

Downloads38K

Community Trust

Rating0/100

Number of ratings0

Active installs600

Alternatives

Shortcode Alternatives

FHDCU Dynamic Counter Update

dynamic-counter-update

100

A dynamic counter plugin that increments by a random value every minute and saves it in the database for display anywhere on your site.

20 No CVEs

Count Shortcode

count-shortcode

Shortcode to count number of posts that match a given set of criteria; provides link to query to display list of matching posts

10 No CVEs

Total Views

total-views

100

Count total page views on your WordPress site and display them with a simple shortcode. Customizable label, styles, and editable page views.

0 No CVEs

GA Google Analytics – Connect Google Analytics to WordPress

ga-google-analytics

100

Adds Google Analytics tracking code to your WordPress site. Supports many tracking features.

400K No CVEs

WP Shortcodes Plugin — Shortcodes Ultimate

shortcodes-ultimate

A comprehensive collection of visual components for your site

400K 35 CVEs

Developer Profile

Shortcode Developer Profile

maxpagels

3 plugins · 910 total installs

trust score

Avg Security Score

78/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect Shortcode

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

HTML / DOM Fingerprints

CSS Classes

archive-list

FAQ