PT-2026-43540 · WordPress · Query Shortcode
Dj
+1
·
Published
2026-05-27
·
Updated
2026-06-04
·
CVE-2026-9200
CVSS v3.1
7.5
High
| Vector | AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Query Shortcode versions prior to 0.2.2
Description
The Query Shortcode plugin for WordPress contains a Local File Inclusion issue within the shortcode function. Authenticated attackers with contributor-level access or higher can exploit this by using the
lens shortcode attribute to include and execute arbitrary .php files on the server. This allows for the execution of PHP code, which can be used to bypass access controls or obtain sensitive data, particularly when .php files can be uploaded to the server.Recommendations
Update the plugin to a version later than 0.2.1.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Query Shortcode