PT-2026-44754 · WordPress · Simple Divi Shortcode

Dj

+1

·

Published

2026-05-29

·

Updated

2026-05-29

·

CVE-2026-9714

CVSS v3.1

6.4

Medium

VectorAV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Name of the Vulnerable Software and Affected Versions Simple Divi Shortcode versions prior to 1.3
Description The Simple Divi Shortcode plugin for WordPress contains a Stored Cross-Site Scripting issue. This occurs because the showmodule shortcode() function fails to properly sanitize input and escape output when handling the id parameter of the [showmodule] shortcode. The id attribute is concatenated directly into a dynamically constructed shortcode string without using esc attr() or other escaping methods, allowing an attacker to break the attribute context and inject arbitrary HTML. Authenticated attackers with contributor-level access or higher can inject malicious web scripts into pages, which then execute when a user visits the affected page.
Recommendations Update to a version later than 1.2. As a temporary workaround, restrict the use of the id parameter within the [showmodule] shortcode or limit user permissions to prevent contributors from editing pages with this shortcode.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-9714

Affected Products

Simple Divi Shortcode