CVE-2026-9714: Simple Divi Shortcode Plugin Stored XSS Vulnerability (WordPress)
A vulnerability in the Simple Divi Shortcode WordPress plugin (versions 1.2 and earlier) allows authenticated users with contributor-level permissions or higher to inject malicious code into pages. When other users view those pages, the injected code executes in their browsers. The vulnerability stems from the plugin failing to properly sanitize user input in the [showmodule] shortcode's 'id' parameter. While this requires authenticated access, the ability to execute arbitrary scripts across users' sessions creates a meaningful security risk for WordPress sites using this plugin.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-79
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-29 / 2026-06-17
NVD description (verbatim)
The Simple Divi Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the [showmodule] shortcode in versions up to, and including, 1.2 This is due to insufficient input sanitization and output escaping in the showmodule_shortcode() function, which concatenates the 'id' shortcode attribute directly into a dynamically constructed shortcode string without applying esc_attr() or any escaping, allowing an attacker to break out of the attribute context and inject arbitrary HTML. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
4 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-9714 is a Stored Cross-Site Scripting (XSS) vulnerability in the Simple Divi Shortcode plugin's showmodule_shortcode() function. The vulnerability arises from insufficient input sanitization and output escaping of the 'id' shortcode attribute. The plugin concatenates the 'id' parameter directly into a dynamically constructed shortcode string without applying esc_attr() or equivalent escaping functions, allowing attackers to break out of attribute context and inject arbitrary HTML and JavaScript. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). Exploitation requires contributor-level or higher privileges and creates a persistent payload that executes each time an authorized user views the affected page.
Business impact
For WordPress site operators, this vulnerability poses a content integrity and user trust risk. An attacker with contributor access—often granted to content creators, authors, or partner accounts—can silently inject malicious scripts that compromise visitor sessions, redirect users, harvest credentials, or deliver malware. The stored nature of the attack means the payload persists until manually removed, creating prolonged exposure. Sites relying on this plugin for shortcode functionality face potential visitor compromise and reputational damage if exploited. Smaller teams with looser access controls or managed hosting environments face higher practical risk.
Affected systems
This vulnerability affects WordPress installations running the Simple Divi Shortcode plugin in version 1.2 or earlier. Any WordPress site with this plugin active and users granted contributor-level access or higher is at risk. The vulnerability does not require an unauthenticated attacker—it requires someone with existing plugin permissions—making the risk profile dependent on how site administrators distribute contributor and above roles.
Exploitability
The vulnerability is moderately exploitable. It requires valid WordPress authentication at the contributor level or above, which limits the attack surface to trusted (or compromised) internal accounts. However, once those credentials are compromised or misused, exploitation is straightforward: the attacker simply adds or edits a post or page, embeds a malicious [showmodule] shortcode with injected JavaScript in the 'id' parameter, and the payload persists and executes for all subsequent visitors. The lack of complexity in the exploit itself, combined with the prevalence of contributor-level accounts, elevates practical risk despite the authentication requirement. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
Remediation
Site administrators should update the Simple Divi Shortcode plugin immediately to a version later than 1.2 (verify against the vendor advisory for the patched release). For environments where immediate patching is not possible, consider disabling the plugin or restricting the [showmodule] shortcode to trusted administrators only. Review contributor-level and author-level account assignments on affected sites and revoke unnecessary permissions. Audit recent posts and pages using the [showmodule] shortcode for suspicious or unexpected 'id' parameter values and remove any malicious payloads before users encounter them.
Patch guidance
Check the Simple Divi Shortcode plugin repository or the vendor's advisory for version 1.3 or later (exact version numbers should be verified against official release notes). Update through the WordPress admin panel's plugin management interface or via command-line tools if available. After patching, verify that all shortcodes on your site render correctly, as the fix may affect shortcode behavior. If you are running multiple WordPress installations, prioritize patching those with higher contributor user counts or greater public traffic first.
Detection guidance
Review your WordPress plugin audit logs and post/page revision histories for changes to shortcodes, particularly the [showmodule] shortcode, made by contributor-level users. Look for 'id' parameter values containing HTML entities, script tags, or unusual characters that suggest injection attempts. Monitor for JavaScript console errors or unexpected network requests initiated from pages containing [showmodule] shortcodes. If you maintain logs of post modifications, cross-reference contributors who added or edited shortcodes with known user activity to identify suspicious patterns. WordPress security plugins may offer XSS detection rules; ensure those rules are enabled and reviewed for alerts.
Why prioritize this
This vulnerability merits prompt attention despite a MEDIUM CVSS score. The stored XSS nature means the attack persists indefinitely until remediated, creating cumulative exposure to all site visitors. While authentication is required, contributor-level access is commonly granted and frequently compromised or misused. The ease of exploitation once authenticated, combined with the absence of any CVSS availability impact, suggests the primary concern is confidentiality and integrity of user sessions rather than service disruption. Organizations with high-traffic or high-value WordPress properties should prioritize patching this plugin within their standard update cycles.
Risk score, explained
CVSS 3.1 score of 6.4 (MEDIUM) reflects a low attack vector threshold (network-accessible), low attack complexity, and low privilege requirement (authenticated). The scope is changed, indicating the vulnerability can impact resources beyond the plugin itself. Confidentiality and integrity impacts are rated low because the attacker can inject arbitrary scripts but the CVSS model does not escalate for stored XSS that affects multiple users. Availability is not impacted (no denial-of-service vector). The MEDIUM severity appropriately captures that this is a serious but non-critical threat requiring timely remediation rather than emergency response.
Frequently asked questions
Can an unauthenticated attacker exploit this vulnerability?
No. Exploitation requires valid WordPress authentication at the contributor level or above. An attacker must either have legitimate credentials or compromise an existing contributor account to inject the malicious shortcode.
If I update the plugin, will my existing pages with malicious shortcodes be cleaned automatically?
No. Patching the plugin fixes the vulnerability going forward and prevents new injection attacks, but any malicious payloads already stored in your pages will remain until you manually audit and remove them. Review recent page revisions and shortcode usage immediately after patching.
What should I do if I suspect contributor accounts have been compromised?
Immediately reset passwords for suspected accounts, review their recent activity and post/page modifications for injected content, and purge any malicious shortcodes from published pages. Consider enabling two-factor authentication for all contributor-level and above roles to prevent future compromise.
Is there an interim workaround if I cannot update immediately?
If immediate patching is not feasible, disable the Simple Divi Shortcode plugin entirely until a patch is available, or restrict shortcode usage to administrator-level accounts only through your site's user capability settings. Review and narrow contributor role permissions where possible.
This analysis is based on publicly available information and the CVE record as of the date of publication. Security researchers and organizations should verify all patch version numbers, release dates, and remediation guidance directly against the plugin vendor's official advisory and release notes. This explainer does not constitute professional security advice; organizations should conduct their own risk assessments based on their environment, user privileges, and exposure. No exploit code or proof-of-concept instructions are provided. Always test patches in a non-production environment before deploying to production systems. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25384MEDIUMStored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2019-25731MEDIUMStored XSS in Zuz Music 2.1 Contact Form
- CVE-2019-25737MEDIUMStored XSS in Live Chat Unlimited 2.8.3 – Admin Session Compromise
- CVE-2019-25739MEDIUMGigToDo 1.3 Stored XSS Vulnerability in Proposal Descriptions
- CVE-2019-25742MEDIUMStored XSS in Zoner Real Estate WordPress Theme 4.1.1 – Admin Account Compromise Risk
- CVE-2019-25743MEDIUMWordPress Soliloquy Lite 2.5.6 Stored XSS Vulnerability
- CVE-2019-25744MEDIUMWordPress Popup Builder 3.49 Stored XSS Vulnerability – Exploit Prevention & Patch Guide
- CVE-2025-14042MEDIUMStored XSS in Automotive Car Dealership Business WordPress Theme 13.4.1