Medium severity4.3NVD Advisory· Published Mar 7, 2022· Updated Jun 17, 2026
CVE-2021-24825
CVE-2021-24825
Description
The Custom Content Shortcode WordPress plugin before 4.0.2 does not validate the data passed to its load shortcode, which could allow Contributor+ (v < 4.0.1) or Admin+ (v < 4.0.2) users to display arbitrary files from the filesystem (such as logs, .htaccess etc), as well as perform Local File Inclusion attacks as PHP files will be executed. Please note that such attack is still possible by admin+ in single site blogs by default (but won't be when either the unfiltered_html or file_edit is disallowed)
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- WordPress/Custom Content Shortcode WordPress plugindescription
- Range: <4.0.2
Patches
Vulnerability mechanics
References
1- wpscan.com/vulnerability/be9d6f82-c972-459a-bacf-65b3dfb11a09nvdExploitThird Party Advisory
News mentions
0No linked articles in our index yet.