Stored Cross-Site Scripting in Simple Divi Shortcode Plugin for WordPress
CVE-2026-9714

6.4MEDIUM

Key Information:

Vendor: WordPress
Status: Simple Divi Shortcode
Vendor: CVE Published:; 29 May 2026

What is CVE-2026-9714?

The Simple Divi Shortcode plugin for WordPress contains a vulnerability that allows for Stored Cross-Site Scripting through the 'id' parameter of the [showmodule] shortcode. This issue arises from inadequate input sanitization and output escaping in the showmodule_shortcode() function. Attackers with contributor-level access can exploit this flaw by injecting arbitrary HTML into pages, leading to the execution of malicious scripts when users access those pages. Ensuring proper escaping of dynamic shortcode strings is essential to mitigate this risk.

Affected Version(s)

Simple Divi Shortcode 0 <= 1.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/simple-divi-sh...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 29, 2026
Vulnerability Reserved
May 27, 2026

Credit

Muhammad Yudha - DJ

CVE-2026-9714 Data

JSON