Does Shortcoder — Create Shortcodes for Anything have any unpatched vulnerabilities?

No. All known vulnerabilities in Shortcoder — Create Shortcodes for Anything have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Shortcoder — Create Shortcodes for Anything compatible with WordPress 6.9.4?

According to WordPress.org data, Shortcoder — Create Shortcodes for Anything 6.5.2 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is Shortcoder — Create Shortcodes for Anything compatible with PHP 5.3+?

Shortcoder — Create Shortcodes for Anything requires PHP 5.3 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Shortcoder — Create Shortcodes for Anything updated?

Shortcoder — Create Shortcodes for Anything was last updated on Mar 1, 2026. Frequent updates are generally a positive security signal.

What is Shortcoder — Create Shortcodes for Anything's security score?

Shortcoder — Create Shortcodes for Anything has a WP-Safety security score of 98/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Shortcoder — Create Shortcodes for Anything Security & Risk Analysis

wordpress.org/plugins/shortcoder

Create custom "Shortcodes" easily for HTML, JavaScript, CSS code snippets and use the shortcodes within posts, pages & widgets

100K active installs v6.5.2 PHP 5.3+ WP 4.9.0+ Updated Mar 1, 2026

codehtmljavascriptshortcodesnippets

A · Safe

CVEs total2

Unpatched0

Last CVEJan 9, 2026

Plugin page Download

Safety Verdict

Is Shortcoder — Create Shortcodes for Anything Safe to Use in 2026?

Generally Safe

Score 98/100

Shortcoder — Create Shortcodes for Anything has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Jan 9, 2026Updated 1mo ago

Risk Assessment

The plugin "shortcoder" v6.5.2 exhibits a mixed security posture. On the positive side, the plugin demonstrates strong adherence to secure coding practices by utilizing prepared statements for all SQL queries and implementing nonce and capability checks for its entry points, including AJAX handlers and shortcodes. The static analysis found no dangerous functions, file operations, or unsanitized taint flows, which are significant strengths.

However, a notable concern arises from the output escaping, where only 58% of outputs are properly escaped. This indicates a potential for Cross-Site Scripting (XSS) vulnerabilities, especially given that one of the past common vulnerability types was indeed XSS. The presence of external HTTP requests, while not inherently insecure, warrants careful review in a real-world scenario. The plugin also bundles the TinyMCE library, which, if outdated or itself vulnerable, could introduce risks. The vulnerability history, although showing no currently unpatched CVEs, reveals two past medium-severity vulnerabilities, one of which was related to XSS and another to missing authorization. This pattern suggests a tendency for vulnerabilities to emerge, even if they are eventually patched.

Key Concerns

Low output escaping percentage
Bundled library (TinyMCE)
Past medium vulnerabilities (2 total)
External HTTP requests (1)

Vulnerabilities

Shortcoder — Create Shortcodes for Anything Security Vulnerabilities

CVEs by Year

1 CVE in 2023

2023

1 CVE in 2026

2026

Patched Has unpatched

Severity Breakdown

Medium

2 total CVEs

CVE-2026-27074medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Shortcoder — Create Shortcodes for Anything <= 6.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jan 9, 2026 Patched in 6.5.2 (57d)

CVE-2023-49849medium · 5.3Missing Authorization

Shortcoder <= 6.3 - Missing Authorization

Dec 6, 2023 Patched in 6.3.1 (48d)

Code Analysis

Analyzed Mar 16, 2026

Shortcoder — Create Shortcodes for Anything Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

53 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

TinyMCE

Output Escaping

58% escaped91 total outputs

Attack Surface

Shortcoder — Create Shortcodes for Anything Attack Surface

Entry Points3

Unprotected0

AJAX Handlers 2

authwp_ajax_sc_admin_ajaxadmin\admin.php:19

authwp_ajax_sc_insert_windowadmin\tools.php:10

Shortcodes 1

[sc] shortcoder.php:33

WordPress Hooks 24

actioninitadmin\admin.php:9

actioninitadmin\admin.php:11

actionadmin_enqueue_scriptsadmin\admin.php:13

actionadmin_footeradmin\admin.php:15

actionadmin_footeradmin\admin.php:17

actionadmin_menuadmin\admin.php:23

actionedit_form_after_titleadmin\edit.php:9

actionadd_meta_boxesadmin\edit.php:11

filterwp_insert_post_dataadmin\edit.php:15

actionadmin_enqueue_scriptsadmin\edit.php:17

filteradmin_footer_textadmin\edit.php:19

filteredit_posts_per_pageadmin\manage.php:12

actionadmin_menuadmin\settings.php:7

actionadmin_enqueue_scriptsadmin\settings.php:9

actionadmin_initadmin\tools.php:13

actionwp_enqueue_editoradmin\tools.php:15

actioninitadmin\tools.php:18

filtermce_buttonsadmin\tools.php:24

filtermce_external_pluginsadmin\tools.php:26

actionadmin_initincludes\updates.php:11

filtercontent_save_preincludes\updates.php:110

filtercontent_filtered_save_preincludes\updates.php:111

filtercontent_save_preincludes\updates.php:156

filtercontent_filtered_save_preincludes\updates.php:157

Maintenance & Trust

Shortcoder — Create Shortcodes for Anything Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedMar 1, 2026

PHP min version5.3

Downloads1.9M

Community Trust

Rating98/100

Number of ratings225

Active installs100K

Alternatives

Shortcoder — Create Shortcodes for Anything Alternatives

WebberZone Snippetz – Header, Body and Footer manager

add-to-all

The ultimate snippet manager for WordPress. Create and manage custom HTML, CSS, or JS code snippets and control where and when they are displayed.

2K 1 CVE

Insert Title

insert-title

This plugin simply Insert post's or page's title in content area. If you are really sick of copying and pasting title in content again and a …

30 No CVEs

Insert ShortCode Pattern

insert-shortcode-pattern

Шаблонный текст вставляемый на страницу при помощи шорткода. HTML теги, PHP код

10 No CVEs

OS HTML5 Shortcodes

os-html5-shortcodes

Using shortcodes you can easily add HTML codes such as ad codes, javascript, video embedding, etc in your pages, posts or custom posts.

10 No CVEs

HTMLPress

htmlpress

Simple HTML snippets generator and use it with shortcode.

0 No CVEs

Developer Profile

Shortcoder — Create Shortcodes for Anything Developer Profile

vaakash

6 plugins · 133K total installs

trust score

Avg Security Score

96/100

Avg Patch Time

157 days

View full developer profile

Detection Fingerprints

How We Detect Shortcoder — Create Shortcodes for Anything

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/shortcoder/css/bootstrap.min.css/wp-content/plugins/shortcoder/css/editor.css/wp-content/plugins/shortcoder/css/font-awesome.min.css/wp-content/plugins/shortcoder/css/manage.css/wp-content/plugins/shortcoder/css/sc-admin.css/wp-content/plugins/shortcoder/css/sc-frontend.css/wp-content/plugins/shortcoder/js/bootstrap.min.js/wp-content/plugins/shortcoder/js/codemirror/lib/codemirror.js+21 more

Script Paths

/wp-content/plugins/shortcoder/js/sc-frontend.js

Version Parameters

shortcoder/css/bootstrap.min.css?ver=shortcoder/css/editor.css?ver=shortcoder/css/font-awesome.min.css?ver=shortcoder/css/manage.css?ver=shortcoder/css/sc-admin.css?ver=shortcoder/css/sc-frontend.css?ver=shortcoder/js/bootstrap.min.js?ver=shortcoder/js/codemirror/lib/codemirror.js?ver=shortcoder/js/codemirror/mode/css/css.js?ver=shortcoder/js/codemirror/mode/htmlmixed/htmlmixed.js?ver=shortcoder/js/codemirror/mode/javascript/javascript.js?ver=shortcoder/js/codemirror/mode/php/php.js?ver=shortcoder/js/codemirror/mode/sql/sql.js?ver=shortcoder/js/codemirror/mode/xml/xml.js?ver=shortcoder/js/codemirror/addon/edit/closebrackets.js?ver=shortcoder/js/codemirror/addon/edit/closetag.js?ver=shortcoder/js/codemirror/addon/edit/matchbrackets.js?ver=shortcoder/js/codemirror/addon/fold/brace-fold.js?ver=shortcoder/js/codemirror/addon/fold/xml-fold.js?ver=shortcoder/js/editor.js?ver=shortcoder/js/jquery.mCustomScrollbar.concat.min.js?ver=shortcoder/js/jquery.multiselect.js?ver=shortcoder/js/jquery.serializeJSON.min.js?ver=shortcoder/js/jquery.simple-dt.min.js?ver=shortcoder/js/jquery.validate.min.js?ver=shortcoder/js/manage.js?ver=shortcoder/js/sc-admin.js?ver=shortcoder/js/sc-frontend.js?ver=shortcoder/js/sc-tinymce.js?ver=

HTML / DOM Fingerprints

CSS Classes

sc-admin-wrapsc-editor-wrapsc-manage-wrapsc-add-edit-wrapsc-tools-wrap

HTML Comments

Data Attributes

data-sc-iddata-sc-name

JS Globals

sc_shortcodes_listsc_obj

FAQ