CVE-2026-9200
7.5 HIGHThe Query Shortcode plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 0.2.1 via the shortc...
Published: 2026-05-27 · Last updated: 2026-05-27
Severity and scoring
- CVSS
- 7.5 HIGH
- Vector
- CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
- CWE
- CWE-98
Description
The Query Shortcode plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 0.2.1 via the shortcode function. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-9200
- [Other]https://plugins.trac.wordpress.org/browser/query-shortcode/trunk/init.php#L178
- [Other]https://plugins.trac.wordpress.org/browser/query-shortcode/trunk/init.php#L56
- [Other]https://plugins.trac.wordpress.org/browser/query-shortcode/trunk/init.php#L97
- [Other]https://www.wordfence.com/threat-intel/vulnerabilities/id/28df760b-6b15-41ca-b93f-9d24dbbd9fc4?source=cve
Related CVEs
Same CWE
- CVE-2026-49954 — Discuz (7.2 HIGH)
- CVE-2016-20082 — WordPress Plugin Abtest contains a local file inclusion vulnerability that allows unauthenticated attackers to include arbitrary files by... (6.2 MEDIUM)
- CVE-2016-20080 — WordPress Brandfolder plugin version 3.0 and earlier contains a local file inclusion vulnerability in callback.php that allows unauthenti... (6.2 MEDIUM)
- CVE-2016-20079 — WordPress Dharma Booking 2.28.3 and earlier contains a local file inclusion vulnerability that allows unauthenticated attackers to includ... (6.2 MEDIUM)
- CVE-2016-20078 — WordPress IMDb Profile Widget 1.0.8 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary... (6.2 MEDIUM)