Unauthenticated function injection vulnerability in WordPress Shortcode Addons plugin (unpatched).

The WordPress Shortcode Addons plugin version 3.2.5 and below is prone to an unauthenticated function injection vulnerability.

Unauthenticated Function Injection

CVSS v3.1: 8.6 (High)

The shortcode_addons_data_process function, accessible to unauthenticated users via the shortcode_addons_data AJAX action, lacks a capability check and its security nonce can be found in the frontend of the site. An unauthenticated user can leverage the vulnerability to call any static method, with up to three optional parameters.


Uninstall the plugin as there’s no patch available.
If you are using our web application firewall for WordPress, NinjaFirewall WP Edition (free) and NinjaFirewall WP+ Edition (premium), you are protected against this vulnerability.


The vulnerability was reported to the WordPress plugins team on February 23, 2024. No security update was released since.

Stay informed about the latest vulnerabilities