CVE-2026-1257

Name of the Vulnerable Software and Affected Versions WordPress Administrative Shortcodes plugin versions prior to 0.3.5

Description The Administrative Shortcodes plugin for WordPress is susceptible to a Local File Inclusion issue in all versions up to and including 0.3.4. This is caused by inadequate path validation of user-supplied input passed to the get template part() function through the slug attribute of the get template shortcode. Successful exploitation allows authenticated attackers with Contributor-level access or higher to include and execute arbitrary files on the server. This can lead to bypassing access controls, obtaining sensitive data, or achieving code execution when attackers can upload and include files. The get template shortcode and its slug attribute are involved in this issue.

Recommendations Update the Administrative Shortcodes plugin to version 0.3.5 or later.