Skip to content
Threat Feed
high threat

CVE-2026-9200: WordPress Query Shortcode Plugin Vulnerable to Local File Inclusion

The Query Shortcode plugin for WordPress is vulnerable to Local File Inclusion (CVE-2026-9200) in versions up to 0.2.1, allowing authenticated attackers with contributor-level access and above to include and execute arbitrary PHP files on the server, potentially leading to privilege escalation and code execution.

The Query Shortcode plugin for WordPress, in versions up to and including 0.2.1, is susceptible to a Local File Inclusion (LFI) vulnerability, tracked as CVE-2026-9200. This vulnerability allows authenticated attackers with contributor-level access or higher to inject malicious code through the shortcode functionality. By exploiting this flaw, attackers can include and execute arbitrary PHP files residing on the server. This can be leveraged to bypass existing access controls, potentially exposing sensitive data or allowing the execution of arbitrary PHP code, leading to complete system compromise. The vulnerability stems from insufficient input validation within the shortcode processing mechanism of the plugin.

Attack Chain

  1. Attacker gains contributor-level access or higher to the WordPress site.
  2. Attacker crafts a malicious shortcode containing a path to a PHP file they wish to include.
  3. Attacker injects the malicious shortcode into a WordPress page or post.
  4. WordPress parses the shortcode using the vulnerable Query Shortcode plugin.
  5. The plugin fails to properly sanitize the provided file path.
  6. The plugin includes and executes the specified PHP file from the attacker-controlled path.
  7. The attacker gains arbitrary code execution on the web server.
  8. The attacker escalates privileges and compromises the server.

Impact

Successful exploitation of CVE-2026-9200 allows attackers to execute arbitrary PHP code on the WordPress server. This could lead to a number of detrimental outcomes, including unauthorized access to sensitive data, modification of website content, or complete takeover of the server. This vulnerability affects all WordPress installations utilizing the Query Shortcode plugin version 0.2.1 or earlier. Given the popularity of WordPress and its plugin ecosystem, the potential number of victims is substantial.

Recommendation

  • Immediately upgrade the Query Shortcode plugin to the latest available version to remediate CVE-2026-9200.
  • Deploy the Sigma rule “Detect CVE-2026-9200 Exploitation Attempt via WordPress Query Shortcode” to identify potential exploitation attempts.
  • Review WordPress user roles and permissions to ensure the principle of least privilege is enforced.
  • Implement web application firewall (WAF) rules to filter out malicious shortcode injections targeting CVE-2026-9200.

Detection coverage 2

Detect CVE-2026-9200 Exploitation Attempt via WordPress Query Shortcode

high

Detects CVE-2026-9200 exploitation — Attempts to exploit Local File Inclusion in the WordPress Query Shortcode plugin by detecting access to sensitive files via shortcode.

sigma tactics: initial_access, privilege_escalation techniques: T1552 sources: webserver

Detect Arbitrary PHP Execution via WordPress Plugin LFI

high

Detects attempts to execute arbitrary PHP code via Local File Inclusion vulnerabilities in WordPress plugins, focusing on file inclusion patterns.

sigma tactics: execution techniques: T1059.004 sources: webserver

Detection queries are available on the platform. Get full rules →