CVE-2026-9200: Query Shortcode WordPress Plugin RCE Flaw

CVE-2026-9200 Overview

The Query Shortcode plugin for WordPress contains a Local File Inclusion (LFI) vulnerability affecting all versions up to and including 0.2.1. The flaw resides in the plugin's shortcode function, which fails to properly validate file paths before inclusion. Authenticated attackers with contributor-level access or above can include and execute arbitrary .php files on the server. This enables execution of any PHP code in those files, bypassing access controls and exposing sensitive data. Where attackers can upload .php files through other means, the vulnerability can be chained into full remote code execution. The issue is classified under CWE-98, improper control of filename for include/require statement.

Critical Impact

Authenticated contributors can execute arbitrary PHP code on WordPress sites running Query Shortcode 0.2.1 or earlier, leading to access control bypass and potential full site compromise.

Affected Products

• Query Shortcode plugin for WordPress, all versions ≤ 0.2.1
• WordPress sites with contributor-level or higher accounts enabled
• Hosting environments where .php file uploads are possible alongside the plugin

Discovery Timeline

• 2026-05-27 - CVE-2026-9200 published to NVD
• 2026-05-27 - Last updated in NVD database

Technical Details for CVE-2026-9200

Vulnerability Analysis

The Query Shortcode plugin exposes a WordPress shortcode that accepts user-controlled input and passes it to a PHP include or require statement without sufficient validation. Because shortcodes are rendered when posts are previewed or published, any user with the edit_posts capability can trigger the vulnerable code path. Contributor accounts in WordPress can create draft posts containing shortcodes, which is sufficient to reach the vulnerable function during preview rendering.

When the shortcode handler resolves the attacker-supplied parameter, it appends a .php extension and includes the resulting path. An attacker can use directory traversal sequences to reference files anywhere on the local filesystem that the web server process can read. The Wordfence advisory documents the vulnerable code paths at lines 56, 97, and 178 of init.php in the plugin's trunk source.

Root Cause

The root cause is improper neutralization of path-related characters in a parameter that flows into a PHP file inclusion statement. The plugin treats the shortcode attribute as a trusted template name and concatenates it directly into an include call. No allowlist, base-directory check, or realpath() validation prevents traversal outside the intended template directory.

Attack Vector

Exploitation requires an authenticated WordPress account with contributor privileges or higher. The attacker creates or edits a post containing the vulnerable shortcode with a crafted file path attribute. When the post is rendered (including in preview mode), WordPress executes the shortcode, and the plugin includes the targeted PHP file. The attacker can target log files, uploaded media containing PHP payloads, or session files to convert the inclusion into arbitrary code execution. Exploitation occurs over the network (HTTP), with no user interaction required beyond the attacker's own authenticated session.

No verified public proof-of-concept code is available. Technical details of the vulnerable code paths are documented in the Wordfence Vulnerability Report and the WordPress Plugin Source Repository.

Detection Methods for CVE-2026-9200

Indicators of Compromise

• Unexpected PHP include or require entries in PHP error logs referencing paths outside the plugin's template directory
• Post or page content containing Query Shortcode invocations with path traversal sequences such as ../ or absolute filesystem paths
• New or modified .php files in wp-content/uploads/ directories where executable PHP is not expected
• Contributor accounts creating posts that immediately invoke shortcodes with file-path-like parameters

Detection Strategies

• Search the wp_posts table for shortcode invocations referencing the Query Shortcode tag combined with traversal characters or absolute paths
• Monitor web server access logs for POST requests to /wp-admin/post.php and /wp-admin/admin-ajax.php originating from contributor accounts followed by preview requests
• Inspect PHP open_basedir violation messages and inclusion-related warnings tied to the plugin's init.php

Monitoring Recommendations

• Alert on file integrity changes to wp-content/uploads/ and any PHP files written outside the WordPress core and plugin directories
• Track creation of new contributor or author accounts and correlate with subsequent post-edit activity
• Enable WordPress audit logging for shortcode-bearing post revisions and review submissions from low-privilege roles

How to Mitigate CVE-2026-9200

Immediate Actions Required

• Deactivate and remove the Query Shortcode plugin until a patched version is released and verified
• Audit all WordPress accounts with contributor-level access or higher and disable accounts that are not actively needed
• Review recent posts and drafts for shortcode invocations referencing file paths or traversal sequences
• Restrict PHP execution within wp-content/uploads/ through web server configuration

Patch Information

At the time of NVD publication on 2026-05-27, all versions up to and including 0.2.1 are vulnerable. Administrators should monitor the WordPress plugin repository and the Wordfence advisory for an updated release that validates shortcode parameters against an allowlist of template files.

Workarounds

• Remove contributor and author roles from users who do not require posting privileges
• Use a web application firewall rule to block POST requests containing the Query Shortcode tag with ../ sequences or absolute filesystem paths
• Configure PHP open_basedir to restrict file inclusion to the WordPress installation directory
• Disable PHP interpretation in upload directories by adding php_flag engine off or equivalent web server directives

# Example Apache configuration to block PHP execution in uploads
<Directory "/var/www/html/wp-content/uploads">
    <FilesMatch "\.php$">
        Require all denied
    </FilesMatch>
    php_flag engine off
</Directory>

# Example nginx configuration
location ~* /wp-content/uploads/.*\.php$ {
    deny all;
    return 403;
}