This is probably a silly question. Could someone potentially use a short code injection attack?
What is stopping someone from injecting something like this?
I am sure that WP already thought about this but I am just wondering, what security mechanism stops this type of injection attack?
In general, like with any other theme or plugin on your system, there is nothing built-in that can prevent all attack vectors
Shortcodes are a kind of macros for generating HTML. Shortcodes that don’t do more than that should generally be safe.
The biggest problem with shortcodes is that their insertion and “execution” do not depend on any capability check. If you have an exploitable shortcode, even a contributor will be able to abuse it.
So what to do? Especially if you are running a multi author site, avoid shortcodes that violate point 2, especially those that explicitly let you execute PHP code, and as always use themes and plugins only from respectable sources (unfortunately, popularity has almost nothing to do with being “respected”).
Like with everything the problem is in the PHP code.
As Mark explained, always use themes and plugins from respectable sources. There is one tool called RIPS that you may also use.