The Shortcodes Ultimate plugin, used on more than 700,000 WordPress sites for creating things like tabs, buttons, and accordions, has patched a vulnerability in version 5.12.1. The plugin’s changelog simply says, “This update fixes a security vulnerability in the shortcode generator. To the author’s credit, the changelog clearly denotes it as a security update, although it doesn’t offer specific details.
The vulnerability was reported by researcher Dave Jong at Patchstack and is logged at the National Vulnerability Database (NVD) as a Cross-Site Request Forgery (CSRF) vulnerability leading to plugin preset settings change. It was patched two weeks ago and the NVD published the advisory this week.
At this time, the vulnerability is not known to have been exploited, but users are advised to update to the latest version. Based on WordPress.org stats, 46% of the plugin’s user base is running on versions older than 5.12.x. The Shortcodes Ultimate plugin author has since released version 5.12.2, which fixes an issue with the Shortcode Generator Presets that was introduced in the previous update.