Description
The Surbma | Infusionsoft Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'infusionsoft-form' shortcode in versions up to, and including, 2.0.1. This is due to insufficient input sanitization and output escaping on user-supplied 'account' and 'id' shortcode attributes in the surbma_infusionsoft_shortcode_shortcode() function, which are concatenated directly into a <script> tag's src attribute. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Problem types
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Product status
Any version
Timeline
| 2026-06-08: | Vendor Notified |
| 2026-06-26: | Disclosed |
Credits
zakaria
References
www.wordfence.com/...-f642-4a61-a175-ed5bb537bf08?source=cve
plugins.trac.wordpress.org/...bma-infusionsoft-shortcode.php
plugins.trac.wordpress.org/...bma-infusionsoft-shortcode.php
plugins.trac.wordpress.org/...hortcode&sfp_email=&sfph_mail=
plugins.trac.wordpress.org/...hortcode&sfp_email=&sfph_mail=