CVE-2026-0737
Shortcodes Ultimate <= 7.4.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'su_lightbox' ShortcodeThe WP Shortcodes Plugin - Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 7.4.7. This is due to insufficient input sanitization and output escaping in the 'src' attribute of the su_lightbox shortcode. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
We have discovered 35,185 live websites that are affected by CVE-2026-0737.
Affected Software
| Product | |
| Category | Widgets |
| Vulnerable Domains | 35,185 live websites (61% of Shortcodes Ultimate install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 104 versions ( 97% of all versions) |
Common Weakness Enumeration
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')Details
- Published - Apr 4, 2026
- Updated - Apr 8, 2026
Credits
- Dmitrii Ignatyev (finder)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2026-0737 United States | 8,637 websites |
 Japan | 4,759 websites |
 Germany | 3,914 websites |
 Russia | 3,275 websites |
 France | 1,891 websites |
 Italy | 1,136 websites |
 Poland | 1,092 websites |
 GB | 994 websites |
 Spain | 746 websites |
 Netherlands | 636 websites |
Website Distribution by TLD
Number of websites using CVE-2026-0737| .com | 13,263 websites |
| .ru | 2,685 websites |
| .de | 2,568 websites |
| .org | 1,890 websites |
| .net | 1,187 websites |
| .jp | 1,119 websites |
| .fr | 960 websites |
| .pl | 818 websites |
| .it | 781 websites |
| .co.jp | 644 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2026-0737
Top websites that are affected by CVE-2026-0737. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| *****************.com | United States | *,*** | |
| ***.com | United States | *,*** | |
| ***********.net | United States | **,*** | |
| *************.com | United States | **,*** | |
| ******.com | United States | **,*** | |
| *********.com | United States | **,*** | |
| *****.org | United States | **,*** | |
| ******.com | United States | **,*** | |
| **********.com | United States | **,*** | |
| ******.eu | United States | **,*** |
FAQ
CVE-2026-0737 is Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Shortcodes Ultimate
A total of 35,185 websites have been identified as vulnerable to CVE-2026-0737, based on global website indexing conducted by WebTechSurvey.
The Shortcodes Ultimate is affected by the CVE-2026-0737 vulnerability.
Shortcodes Ultimate versions up to and including 7.4.7 are vulnerable to CVE-2026-0737.