CVE-2026-9200

Vulnerability

The Query Shortcode plugin for WordPress, in all versions up to and including 0.2.1, contains a Local File Inclusion (LFI) vulnerability. The flaw resides in the init.php file at the shortcode handling function [1][2][3]. The plugin fails to properly sanitize user-controllable input passed to the shortcode, allowing an authenticated attacker to include arbitrary .php files from the server's filesystem. The plugin is intended to display query results in a grid or list, and the vulnerable code processes the shortcode attributes unsafely.

Exploitation

An attacker must have at least a Contributor-level account on the WordPress site. They can craft a shortcode block with malicious parameters that point to a local .php file. The attacker includes the path to a file (e.g., one uploaded via media upload or another plugin) that contains attacker-controlled PHP code. The shortcode function then includes and executes that file. No additional user interaction beyond inserting the malicious shortcode into a post or page is required. The attacker can use standard WordPress post editing privileges to achieve this.

Impact

Successful exploitation allows the attacker to execute arbitrary PHP code within the context of the WordPress server. This can result in bypassing access controls, reading sensitive data (e.g., database credentials), or achieving complete remote code execution if the attacker can also upload a .php file. Privilege escalation to administrator-level access is a likely outcome.

Mitigation

A patched version has not been released as of the publication date (2026-05-27). All versions up to and including 0.2.1 are affected. The plugin has been closed or removed from the WordPress plugin directory. Users should remove the plugin entirely or switch to an alternative. There is no known workaround that preserves functionality. This vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog at this time.