Does WP Shortcodes Plugin — Shortcodes Ultimate have any unpatched vulnerabilities?

No. All known vulnerabilities in WP Shortcodes Plugin — Shortcodes Ultimate have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is WP Shortcodes Plugin — Shortcodes Ultimate compatible with WordPress 6.9.4?

According to WordPress.org data, WP Shortcodes Plugin — Shortcodes Ultimate 7.4.9 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is WP Shortcodes Plugin — Shortcodes Ultimate compatible with PHP 5.4+?

WP Shortcodes Plugin — Shortcodes Ultimate requires PHP 5.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is WP Shortcodes Plugin — Shortcodes Ultimate updated?

WP Shortcodes Plugin — Shortcodes Ultimate was last updated on Feb 2, 2026. Frequent updates are generally a positive security signal.

What is WP Shortcodes Plugin — Shortcodes Ultimate's security score?

WP Shortcodes Plugin — Shortcodes Ultimate has a WP-Safety security score of 88/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

WP Shortcodes Plugin — Shortcodes Ultimate Security & Risk Analysis

wordpress.org/plugins/shortcodes-ultimate

A comprehensive collection of visual components for your site

400K active installs v7.4.9 PHP 5.4+ WP 5.0+ Updated Feb 2, 2026

carouselcolumnspostsshortcodetoggle

A · Safe

CVEs total32

Unpatched0

Last CVENov 23, 2025

Plugin page Download

Safety Verdict

Is WP Shortcodes Plugin — Shortcodes Ultimate Safe to Use in 2026?

Generally Safe

Score 88/100

WP Shortcodes Plugin — Shortcodes Ultimate has a strong security track record. Known vulnerabilities have been patched promptly.

32 known CVEsLast CVE: Nov 23, 2025Updated 2mo ago

Risk Assessment

The Shortcodes Ultimate plugin version 7.4.9 exhibits a mixed security posture. While it demonstrates good practices in handling SQL queries with 100% prepared statements and a high rate of output escaping (93%), significant concerns arise from its attack surface. The presence of 8 AJAX handlers, with 4 of them lacking authentication checks, presents a substantial risk of unauthorized actions. This is further amplified by taint analysis revealing one high severity flow with unsanitized paths, indicating a potential for attackers to exploit these entry points. The plugin's historical vulnerability record is a major red flag, with 32 known CVEs, predominantly in medium and high severity categories, including critical types like SSRF, XSS, and Path Traversal. Although there are currently no unpatched vulnerabilities, the sheer volume and nature of past issues suggest a recurring pattern of security weaknesses that require diligent attention. The plugin's strengths lie in its secure data handling for SQL and output, but the exposed entry points and past vulnerability trends necessitate caution.

Key Concerns

Unprotected AJAX handlers
High severity taint flow (unsanitized path)
Numerous past high/medium severity CVEs
Bundled Freemius v1.0 library

Vulnerabilities

WP Shortcodes Plugin — Shortcodes Ultimate Security Vulnerabilities

CVEs by Year

1 CVE in 2015

2015

2 CVEs in 2017

2017

1 CVE in 2021

2021

3 CVEs in 2022

2022

8 CVEs in 2023

2023

10 CVEs in 2024

2024

7 CVEs in 2025

2025

Patched Has unpatched

Severity Breakdown

High

Medium

32 total CVEs

CVE-2025-12800medium · 6.4Server-Side Request Forgery (SSRF)

WP Shortcodes Plugin — Shortcodes Ultimate <= 7.4.5 - Authenticated (Administrator+) Server-Side Request Forgery

Nov 23, 2025 Patched in 7.4.6 (1d)

CVE-2025-8015medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Shortcodes Ultimate <= 7.4.2 - Authenticated (Author+) Stored Cross-Site Scripting via Image Title and Slide Link

Jul 21, 2025 Patched in 7.4.3 (26d)

CVE-2025-7354medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Shortcodes Plugin — Shortcodes Ultimate <= 7.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Plugin Shortcodes

Jul 20, 2025 Patched in 7.4.3 (1d)

CVE-2025-7369medium · 6.1Cross-Site Request Forgery (CSRF)

Shortcodes Ultimate <= 7.4.2 - Cross-Site Request Forgery to Arbitrary Shortcode Execution

Jul 20, 2025 Patched in 7.4.3 (18d)

CVE-2025-5567medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Shortcodes Ultimate <= 7.4.0 - Authenticted (Contributor+) Stored Cross-Site Scripting via 'data-url' Attribute

Jul 3, 2025 Patched in 7.4.1 (1d)

CVE-2025-49244medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Shortcodes Ultimate <= 7.3.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jun 5, 2025 Patched in 7.4.0 (7d)

CVE-2025-0370medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Shortcodes Plugin — Shortcodes Ultimate <= 7.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via src Parameter

Mar 3, 2025 Patched in 7.3.4 (1d)

CVE-2024-8500medium · 5.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Shortcodes Plugin — Shortcodes Ultimate <= 7.2.2 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting

Oct 22, 2024 Patched in 7.3.0 (1d)

CVE-2024-4821medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Shortcodes Plugin — Shortcodes Ultimate <= 7.1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via su_lightbox Shortcode

Jun 4, 2024 Patched in 7.1.7 (13d)

CVE-2024-4553medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Shortcodes Plugin — Shortcodes Ultimate <= 7.1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via su_members Shortcode

May 20, 2024 Patched in 7.1.6 (1d)

CVE-2024-3550medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Shortcodes Plugin — Shortcodes Ultimate <= 7.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Apr 29, 2024 Patched in 7.1.3 (4d)

CVE-2024-3548medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Shortcodes Plugin — Shortcodes Ultimate <= 7.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via su_lightbox

Apr 24, 2024 Patched in 7.1.2 (23d)

CVE-2024-3188medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Shortcodes Ultimate <= 7.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

Apr 5, 2024 Patched in 7.1.0 (15d)

CVE-2024-2583medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Shortcodes Ultimate <= 7.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'note_color' Shortcode

Mar 23, 2024 Patched in 7.0.5 (33d)

CVE-2024-1808medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Shortcodes Plugin — Shortcodes Ultimate <= 7.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via su_qrcode Shortcode

Feb 27, 2024 Patched in 7.0.4 (2d)

CVE-2024-1510medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Shortcodes Plugin — Shortcodes Ultimate <= 7.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via su_tooltip Shortcode

Feb 19, 2024 Patched in 7.0.3 (1d)

CVE-2024-0792medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Shortcodes Plugin — Shortcodes Ultimate <= 7.0.1 - Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode

Feb 7, 2024 Patched in 7.0.2 (174d)

CVE-2023-6488medium · 5.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Shortcodes Plugin — Shortcodes Ultimate <= 7.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Dec 18, 2023 Patched in 7.0.1 (225d)

CVE-2023-6226medium · 4.3Authorization Bypass Through User-Controlled Key

WP Shortcodes Plugin — Shortcodes Ultimate <= 5.13.3 - Insecure Direct Object Reference to Information Disclosure

Nov 27, 2023 Patched in 7.0.0 (246d)

CVE-2023-6225medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Shortcodes Plugin — Shortcodes Ultimate <= 5.13.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

Nov 27, 2023 Patched in 7.0.0 (246d)

CVE-2023-0911medium · 6.5Exposure of Sensitive Information to an Unauthorized Actor

Shortcodes Ultimate <= 5.12.7 - Authenticated (Subscriber+) Information Exposure

Feb 27, 2023 Patched in 5.12.8 (330d)

CVE-2023-0890medium · 4.3Authorization Bypass Through User-Controlled Key

Shortcodes Ultimate <= 5.12.7 - Authenticated (Subscriber+) Arbitrary Post Access via Shortcode

Feb 27, 2023 Patched in 5.12.8 (330d)

CVE-2023-25050medium · 6.5External Control of File Name or Path

Shortcodes Ultimate <= 5.12.6 - Authenticated (Subscriber+) Arbitrary File Read via Shortcode

Feb 10, 2023 Patched in 5.12.7 (347d)

CVE-2023-23800medium · 6.5Server-Side Request Forgery (SSRF)

Shortcodes Ultimate <= 5.12.6 - Authenticated (Subscriber+) Server-Side Request Forgery

Feb 10, 2023 Patched in 5.12.7 (347d)

CVE-2023-25040medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Shortcodes Ultimate <= 5.12.6 - Authenticated (Contributor+) Stored Cross Site Scripting

Feb 10, 2023 Patched in 5.12.7 (347d)

WF-2ac1d65c-5e09-41ca-809b-2ab3ab5f62af-shortcodes-ultimatemedium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Shortcodes Ultimate <= 5.12.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting

Oct 13, 2022 Patched in 5.12.1 (467d)

CVE-2022-41136high · 8.8Cross-Site Request Forgery (CSRF)

Shortcodes Ultimate <= 5.12.0 - Cross-Site Request Forgery

Oct 13, 2022 Patched in 5.12.1 (467d)

CVE-2022-38086high · 8.8Cross-Site Request Forgery (CSRF)

Shortcodes Ultimate <= 5.12.0 - Cross-Site Request Forgery

Oct 2, 2022 Patched in 5.12.1 (478d)

CVE-2021-24525medium · 5.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WordPress Shortcodes Plugin — Shortcodes Ultimate <= 5.10.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Aug 23, 2021 Patched in 5.10.2 (883d)

CVE-2017-18580high · 8.8Improper Control of Generation of Code ('Code Injection')

WordPress Shortcodes Plugin — Shortcodes Ultimate <= 5.0.0 - Authenticated Remote Code Execution

Oct 31, 2017 Patched in 5.0.1 (2275d)

CVE-2017-2245medium · 5Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

WordPress Shortcodes Plugin — Shortcodes Ultimate < 4.10.0 - Directory Traversal

Jun 23, 2017 Patched in 4.10.0 (2405d)

WF-baa720d6-1891-4557-a744-830be56862e9-shortcodes-ultimatemedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WordPress Shortcodes Plugin — Shortcodes Ultimate <= 4.9.3 - Cross-Site Scripting

May 5, 2015 Patched in 4.9.4 (3185d)

Code Analysis

Analyzed Mar 16, 2026

WP Shortcodes Plugin — Shortcodes Ultimate Code Analysis

Dangerous Functions

Raw SQL Queries

4 prepared

Unescaped Output

475 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Freemius1.0

SQL Query Safety

100% prepared4 total queries

Output Escaping

93% escaped512 total outputs

Data Flows

4 unsanitized

Data Flow Analysis

8 flows4 with unsanitized paths

the_menu_page (admin\class-shortcodes-ultimate-admin.php:206)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

4 unprotected

WP Shortcodes Plugin — Shortcodes Ultimate Attack Surface

Entry Points8

Unprotected4

AJAX Handlers 8

authwp_ajax_su_generator_settingsinc\core\generator.php:24

authwp_ajax_su_generator_previewinc\core\generator.php:25

authwp_ajax_su_generator_get_iconsinc\core\generator.php:28

authwp_ajax_su_generator_get_termsinc\core\generator.php:29

authwp_ajax_su_generator_get_taxonomiesinc\core\generator.php:30

authwp_ajax_su_generator_add_presetinc\core\generator.php:31

authwp_ajax_su_generator_remove_presetinc\core\generator.php:32

authwp_ajax_su_generator_get_presetinc\core\generator.php:33

WordPress Hooks 46

actionwp_headinc\core\assets.php:20

actionadmin_headinc\core\assets.php:21

actionsu/generator/preview/beforeinc\core\assets.php:22

actionsu/examples/preview/beforeinc\core\assets.php:23

actionwp_footerinc\core\assets.php:25

actionadmin_footerinc\core\assets.php:26

actionsu/generator/preview/afterinc\core\assets.php:28

actionsu/examples/preview/afterinc\core\assets.php:29

actionwp_footerinc\core\assets.php:31

actionsu/generator/preview/afterinc\core\assets.php:32

actionsu/examples/preview/afterinc\core\assets.php:33

actionsu/assets/custom_css/afterinc\core\assets.php:35

actionmedia_buttonsinc\core\generator.php:11

actionenqueue_block_editor_assetsinc\core\generator.php:16

actionwp_footerinc\core\generator.php:21

actionadmin_footerinc\core\generator.php:22

actionsu/generator/actionsinc\core\generator.php:26

actiondelete_attachmentinc\core\tools.php:344

actionadmin_initincludes\class-shortcodes-ultimate.php:205

actionadmin_menuincludes\class-shortcodes-ultimate.php:211

actionadmin_menuincludes\class-shortcodes-ultimate.php:217

actionadmin_enqueue_scriptsincludes\class-shortcodes-ultimate.php:218

actionadmin_menuincludes\class-shortcodes-ultimate.php:224

actionadmin_initincludes\class-shortcodes-ultimate.php:225

actionadmin_enqueue_scriptsincludes\class-shortcodes-ultimate.php:226

actionadmin_initincludes\class-shortcodes-ultimate.php:227

actionload-plugins.phpincludes\class-shortcodes-ultimate.php:232

actionadmin_noticesincludes\class-shortcodes-ultimate.php:233

actionadmin_post_su_dismiss_noticeincludes\class-shortcodes-ultimate.php:234

actionadmin_noticesincludes\class-shortcodes-ultimate.php:239

actionadmin_post_su_dismiss_noticeincludes\class-shortcodes-ultimate.php:240

actionupdate_option_su_option_unsafe_featuresincludes\class-shortcodes-ultimate.php:241

filterattachment_fields_to_editincludes\class-shortcodes-ultimate.php:250

filterattachment_fields_to_saveincludes\class-shortcodes-ultimate.php:256

actionadmin_initincludes\class-shortcodes-ultimate.php:266

filtersu/data/groupsincludes\class-shortcodes-ultimate.php:267

filtersu/data/shortcodesincludes\class-shortcodes-ultimate.php:268

actioninitincludes\class-shortcodes-ultimate.php:282

actioninitincludes\class-shortcodes-ultimate.php:286

filterno_texturize_shortcodesincludes\class-shortcodes-ultimate.php:290

filterterm_descriptionincludes\class-shortcodes-ultimate.php:296

filterwidget_textincludes\class-shortcodes-ultimate.php:299

filterthe_contentincludes\class-shortcodes-ultimate.php:305

actionwidgets_initincludes\deprecated\class-su-widget.php:61

actioninitplugin.php:11

actionwidgets_initplugin.php:17

Maintenance & Trust

WP Shortcodes Plugin — Shortcodes Ultimate Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedFeb 2, 2026

PHP min version5.4

Downloads24.5M

Community Trust

Rating98/100

Number of ratings5,917

Active installs400K

Alternatives

WP Shortcodes Plugin — Shortcodes Ultimate Alternatives

WP Show Posts

wp-show-posts

Add posts to your website from any post type using a simple shortcode.

70K 3 CVEs

Mimo Carousel

mimo-carousel

Create Custom Carousels with no code knowledge. Choose Columns, show/hide arrows/dots and a lot of options, display any taxonomy.

20 No CVEs

Latest Post Shortcode Slider

latest-post-shortcode-slider-extension

100

The plugin is an extension for the Latest Post Shortcode plugin, and allows you to output the static or dynamical selection you make as a responsive s …

10 No CVEs

TinyMCE shortcode Addon

360crest-themeone-tinymce-shortcodes

Foreigncodes Tinymce Shortcodes, is a wordpress tinymce addon, that jazz up your wordpress post with cool design.

0 No CVEs

Featured Post Carousel by Tag

featured-post-carousel-tag

100

Muestra entradas, páginas, productos y otros tipos de contenido personalizado por etiqueta en un carrusel responsive con OwlCarousel2.

0 No CVEs

Developer Profile

WP Shortcodes Plugin — Shortcodes Ultimate Developer Profile

Vova

4 plugins · 400K total installs

trust score

Avg Security Score

86/100

Avg Patch Time

403 days

View full developer profile

Detection Fingerprints

How We Detect WP Shortcodes Plugin — Shortcodes Ultimate

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/shortcodes-ultimate/css/admin.css/wp-content/plugins/shortcodes-ultimate/js/about/index.js/wp-content/plugins/shortcodes-ultimate/vendor/freemius/start.php

Script Paths

https://player.vimeo.com/api/player.js

Version Parameters

shortcodes-ultimate/style.css?ver=shortcodes-ultimate/js/about/index.js?ver=shortcodes-ultimate/css/admin.css?ver=

HTML / DOM Fingerprints

CSS Classes

su-btnsu-shortcodesu-sectionsu-tabssu-accordionsu-spoilersu-slidersu-carousel+56 more

Data Attributes

data-su-iddata-su-titledata-su-contentdata-su-typedata-su-widthdata-su-height+171 more

JS Globals

window.vimeo

FAQ

WP Shortcodes Plugin — Shortcodes Ultimate Security & Risk Analysis

Is WP Shortcodes Plugin — Shortcodes Ultimate Safe to Use in 2026?

Generally Safe

Key Concerns

WP Shortcodes Plugin — Shortcodes Ultimate Security Vulnerabilities

CVEs by Year

Severity Breakdown

WP Shortcodes Plugin — Shortcodes Ultimate Code Analysis

Bundled Libraries

SQL Query Safety

Output Escaping

Data Flow Analysis

WP Shortcodes Plugin — Shortcodes Ultimate Attack Surface

AJAX Handlers 8

WP Shortcodes Plugin — Shortcodes Ultimate Maintenance & Trust

Maintenance Signals

Community Trust

WP Shortcodes Plugin — Shortcodes Ultimate Alternatives

WP Show Posts

Mimo Carousel

Latest Post Shortcode Slider

TinyMCE shortcode Addon

Featured Post Carousel by Tag

WP Shortcodes Plugin — Shortcodes Ultimate Developer Profile

How We Detect WP Shortcodes Plugin — Shortcodes Ultimate

Asset Fingerprints

HTML / DOM Fingerprints

Frequently Asked Questions about WP Shortcodes Plugin — Shortcodes Ultimate