vulnerability

WordPress Plugin: shortcodes-ultimate: CVE-2021-24525: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
3	(AV:N/AC:M/Au:S/C:N/I:P/A:N)	Aug 23, 2021	May 15, 2025	Jun 24, 2025

Severity

CVSS

(AV:N/AC:M/Au:S/C:N/I:P/A:N)

Published

Aug 23, 2021

Added

May 15, 2025

Modified

Jun 24, 2025

Description

The Shortcodes Ultimate WordPress plugin before 5.10.2 allows users with Contributor roles to perform stored XSS via shortcode attributes. Note: the plugin is inconsistent in its handling of shortcode attributes; some do escape, most don't, and there are even some attributes that are insecure by design (like [su_button]'s onclick attribute).

Solution

shortcodes-ultimate-plugin-cve-2021-24525

References

URL-https://www.cve.org/CVERecord?id=CVE-2021-24525
URL-https://www.wordfence.com/threat-intel/vulnerabilities/id/98f87769-d4e4-4e27-9acf-a4e52bdbf734?source=api-prod
CVE-2021-24525
https://attackerkb.com/topics/CVE-2021-24525
CWE-79

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today