CVE-2023-6226 MEDIUM

CVE-2023-6226: WP Shortcodes Plugin — Shortcodes Ultimate <= 5.13.3 - Insecure Direct Object Reference to Information Disclosure

Vendor Gn_Themes
Product WP Shortcodes Plugin — Shortcodes Ultimate
Weakness CWE-639 · IDOR
Published November 28, 2023
Last update April 8, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.13.3 via the su_meta shortcode due to missing validation on the user controlled keys 'key' and 'post_id'. This makes it possible for authenticated attackers, with contributor-level access and above, to retrieve arbitrary post meta values which may contain sensitive information when combined with another plugin.

Key dates

02Disclosure timeline

November 28, 2023 CVE published
April 8, 2026 Record updated