Zenost Shortcodes Vulnerability

MEDIUM (6.4) No Patch (2 days)

Threat Intelligence

Low Risk

EPSS Score: 0.03% chance of exploitation (percentile: 7%)

🔍 Detection Tools: None available in major open-source tools

⚔️ Exploit Availability: No public exploits found

How we test →

What is it?

The Zenost Shortcodes plugin for WordPress is a utility that allows users to add buttons with custom links and targets. However, due to insufficient input sanitization and output escaping, this plugin is vulnerable to Stored Cross-Site Scripting (XSS) attacks. This means that an attacker can inject malicious scripts into the plugin's output, which will be executed by WordPress when a user accesses a page containing the injected script.

Am I affected?

You're affected if you use Zenost Shortcodes. Specific version info not stated in the advisory.

Affected Products

WordPress.org / Zenost Shortcodes

How to fix

To fix this vulnerability, upgrade to Zenost Shortcodes version 1.1 or later. You can do this by:

Using the WordPress Plugin Update Tool: https://make.wordpress.org/core/2023/02/06/plugin-update-tool/
Updating your wp-content/plugins directory manually

Immediate mitigations if you cannot upgrade immediately:
- Disable the plugin to prevent further attacks
- Remove the button shortcode from your theme or remove it entirely