PT-2026-43540 · WordPress · Query Shortcode

Dj

+1

·

Published

2026-05-27

·

Updated

2026-06-04

·

CVE-2026-9200

CVSS v3.1

7.5

High

VectorAV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Query Shortcode versions prior to 0.2.2
Description The Query Shortcode plugin for WordPress contains a Local File Inclusion issue within the shortcode function. Authenticated attackers with contributor-level access or higher can exploit this by using the lens shortcode attribute to include and execute arbitrary .php files on the server. This allows for the execution of PHP code, which can be used to bypass access controls or obtain sensitive data, particularly when .php files can be uploaded to the server.
Recommendations Update the plugin to a version later than 0.2.1.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-9200

Affected Products

Query Shortcode