WP-Safety

Shortcode Mastery Security & Risk Analysis

wordpress.org/plugins/shortcode-mastery-lite

Shortcode Mastery аllows you to create shortcodes with rich customization options and unlimited number of default parameters.

10 active installs v2.0.0 PHP + WP 4.0+ Updated Feb 13, 2019
shortcodeshortcode-buildershortcodes
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Download
Safety Verdict

Is Shortcode Mastery Safe to Use in 2026?

Generally Safe

Score 85/100

Shortcode Mastery has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 7yr ago
Risk Assessment

The shortcode-mastery-lite plugin v2.0.0 exhibits a generally strong security posture with no known historical vulnerabilities. The static analysis indicates good practices in several areas, including a robust number of nonce and capability checks, and a moderate percentage of SQL queries utilizing prepared statements. The absence of external HTTP requests and zero recorded CVEs are significant strengths.

However, the analysis does reveal areas of concern. Notably, 54% of output escaping is not properly done, which could lead to cross-site scripting (XSS) vulnerabilities if malicious input is not handled correctly. Additionally, three taint flows were found with unsanitized paths, and one is of high severity, suggesting a potential risk of path traversal or other file system related attacks if these flows are triggered with user-supplied input.

While the attack surface is small and all identified entry points have some form of authentication, the presence of unsanitized paths in the taint analysis, coupled with less than ideal output escaping, presents a moderate risk. The plugin's clean vulnerability history is reassuring, but the identified code signals warrant careful attention to mitigate potential weaknesses.

Key Concerns

  • High severity taint flow with unsanitized path
  • Significant portion of outputs not properly escaped
  • Taint flows with unsanitized paths detected
  • SQL queries with insufficient prepared statement usage
Vulnerabilities
None known

Shortcode Mastery Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Version History

Shortcode Mastery Release Timeline

No version history available.
Code Analysis
Analyzed Mar 17, 2026

Shortcode Mastery Code Analysis

Dangerous Functions
0
Raw SQL Queries
3
4 prepared
Unescaped Output
115
137 escaped
Nonce Checks
13
Capability Checks
9
File Operations
11
External Requests
0
Bundled Libraries
1

Bundled Libraries

TinyMCE

SQL Query Safety

57% prepared7 total queries

Output Escaping

54% escaped252 total outputs
Data Flows · Security
3 unsanitized

Data Flow Analysis

8 flows3 with unsanitized paths
add_shortcode_to_database (classes\class.shortcode-mastery.php:1355)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Shortcode Mastery Attack Surface

Entry Points1
Unprotected0

AJAX Handlers 1

authwp_ajax_ajax_sm_submitclasses\class.shortcode-mastery.php:401
WordPress Hooks 26
actionplugins_loadedclasses\class.shortcode-mastery-elementor.php:46
actionsm_render_noticesclasses\class.shortcode-mastery-elementor.php:47
actionsm_render_noticesclasses\class.shortcode-mastery-elementor.php:48
actionelementor/elements/categories_registeredclasses\class.shortcode-mastery-elementor.php:58
actionelementor/widgets/widgets_registeredclasses\class.shortcode-mastery-elementor.php:59
actionelementor/frontend/after_enqueue_stylesclasses\class.shortcode-mastery-elementor.php:60
actionelementor/editor/after_saveclasses\class.shortcode-mastery-elementor.php:61
actionelementor/frontend/after_register_scriptsclasses\class.shortcode-mastery-elementor.php:62
actioninitclasses\class.shortcode-mastery.php:353
actioninitclasses\class.shortcode-mastery.php:359
actioninitclasses\class.shortcode-mastery.php:361
actioninitclasses\class.shortcode-mastery.php:363
actionwp_enqueue_scriptsclasses\class.shortcode-mastery.php:369
actionadmin_initclasses\class.shortcode-mastery.php:375
actionadmin_initclasses\class.shortcode-mastery.php:377
actionadmin_menuclasses\class.shortcode-mastery.php:383
actionadmin_bar_menuclasses\class.shortcode-mastery.php:389
actionadmin_enqueue_scriptsclasses\class.shortcode-mastery.php:395
actionadmin_action_shortcode-mastery-preview-pageclasses\class.shortcode-mastery.php:403
filteradmin_body_classclasses\class.shortcode-mastery.php:409
filterthe_contentclasses\class.shortcode-mastery.php:415
filteradmin_body_classclasses\class.shortcode-mastery.php:676
actionadmin_action_shortcode-mastery-tinymce-pageclasses\tinymce\class.shortcode-mastery-tinymce.php:40
actionmedia_buttonsclasses\tinymce\class.shortcode-mastery-tinymce.php:42
actionwp_enqueue_mediaclasses\tinymce\class.shortcode-mastery-tinymce.php:44
actionadmin_enqueue_scriptsclasses\tinymce\class.shortcode-mastery-tinymce.php:58
Maintenance & Trust

Shortcode Mastery Maintenance & Trust

Maintenance Signals

WordPress version tested5.0.25
Last updatedFeb 13, 2019
PHP min version
Downloads2K

Community Trust

Rating0/100
Number of ratings0
Active installs10
Alternatives

Shortcode Mastery Alternatives

Column Shortcodes

Column Shortcodes

column-shortcodes

A
85

Adds shortcodes to easily create columns in your posts or pages.

60K No CVEs
Apollo13 Framework Extensions

Apollo13 Framework Extensions

apollo13-framework-extensions

A
95

Adds custom post types, shortcodes and some features that are used in themes built on Apollo13 Framework.

20K 6 CVEs
Futurio Extra

Futurio Extra

futurio-extra

A
96

Futurio Extra add extra features to Futurio theme like widgets, WooCommerce options, Elementor widgets, one click demo import and much more.

20K 7 CVEs
ND Shortcodes

ND Shortcodes

nd-shortcodes

A
89

The plugin adds some useful components to your page builder ( Elementor or WP Bakery Page Builder ). All components are full responsive and retina rea …

20K 5 CVEs
Contact Form 7 Shortcode Enabler

Contact Form 7 Shortcode Enabler

contact-form-7-shortcode-enabler

A
92

This plugin enables the usage of external shortcodes inside Contact Form 7 Forms.

10K No CVEs
Developer Profile

Shortcode Mastery Developer Profile

uncleserj

1 plugin · 10 total installs

84
trust score
Avg Security Score
85/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Shortcode Mastery

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/shortcode-mastery-lite/assets/css/backend.css/wp-content/plugins/shortcode-mastery-lite/assets/css/backend.min.css/wp-content/plugins/shortcode-mastery-lite/assets/css/frontend.css/wp-content/plugins/shortcode-mastery-lite/assets/css/frontend.min.css/wp-content/plugins/shortcode-mastery-lite/assets/js/backend.js/wp-content/plugins/shortcode-mastery-lite/assets/js/backend.min.js/wp-content/plugins/shortcode-mastery-lite/assets/js/frontend.js/wp-content/plugins/shortcode-mastery-lite/assets/js/frontend.min.js+8 more
Script Paths
/wp-content/plugins/shortcode-mastery-lite/assets/js/backend.js/wp-content/plugins/shortcode-mastery-lite/assets/js/backend.min.js/wp-content/plugins/shortcode-mastery-lite/assets/js/frontend.js/wp-content/plugins/shortcode-mastery-lite/assets/js/frontend.min.js
Version Parameters
/wp-content/plugins/shortcode-mastery-lite/assets/css/backend.css?ver=/wp-content/plugins/shortcode-mastery-lite/assets/css/frontend.css?ver=/wp-content/plugins/shortcode-mastery-lite/assets/js/backend.js?ver=/wp-content/plugins/shortcode-mastery-lite/assets/js/frontend.js?ver=

HTML / DOM Fingerprints

CSS Classes
sm-editor-container
HTML Comments
<!-- Shortcode Mastery --><!-- Shortcode Mastery Elementor -->
Data Attributes
data-sm-iddata-sm-title
JS Globals
ShortcodeMasteryShortcodeMasteryData
Shortcode Output
<div class="sm-shortcode-output"><div class="sm-elementor-widget-container">
FAQ

Frequently Asked Questions about Shortcode Mastery