Local File Inclusion Vulnerability in Query Shortcode Plugin for WordPress
CVE-2026-9200

7.5HIGH

Key Information:

Vendor: WordPress
Status: Query Shortcode
Vendor: CVE Published:; 27 May 2026

What is CVE-2026-9200?

The Query Shortcode plugin for WordPress has a Local File Inclusion issue that affects all versions up to 0.2.1. This vulnerability permits authenticated users with contributor-level access and above to exploit the shortcode function. By including arbitrary .php files from the server, attackers can execute potentially malicious PHP code. This can lead to unauthorized access, data breaches, or arbitrary code execution, especially in scenarios where .php files can be uploaded and included. It is critical for users of affected versions to assess their risk and consider applying security patches or updates.

Affected Version(s)

Query Shortcode 0 <= 0.2.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/query-shortcod...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 27, 2026
Vulnerability Reserved
May 21, 2026

Credit

Muhammad Yudha - DJ

CVE-2026-9200 Data

JSON