The Query Shortcode plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 0.2.1 via the shortcode function. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
Casky was already ahead
This CVE exploits attack patterns that Casky's 0matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
The Query Shortcode plugin for WordPress contains a Local File Inclusion (LFI) vulnerability in versions up to 0.2.1 that allows authenticated attackers with contributor-level access or higher to include and execute arbitrary PHP files on the server. This vulnerability is critical because it bridges the gap between authentication and code execution—an attacker with minimal permissions can leverage file inclusion to execute malicious PHP code, effectively escalating their capabilities to full server compromise. WordPress sites using this plugin are at risk, particularly those with loose user management practices or those allowing untrusted users to obtain contributor roles.
While this CVE does not map to specific MITRE ATT&CK techniques in its current metadata, the attack pattern falls within the execution and defense evasion domain. Casky's 754 mapped security skills would identify this vulnerability through detection of suspicious file inclusion patterns—specifically monitoring for shortcode function calls that process file paths without proper validation, detecting PHP execution in unexpected directories, and identifying access to sensitive files like wp-config.php or system files through shortcode parameters. Practitioners using Casky would see findings related to improper input validation in custom WordPress plugins, suspicious PHP file access through query parameters, and code execution indicators that suggest post-authentication privilege escalation attempts, allowing them to correlate these signals before exploitation occurs.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
Casky has 0 skills that investigate the attack patterns behind CVE-2026-9200. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →© 2026 Casky.AI, Inc. · AI Security Investigation