-
In general, like with any other theme or plugin on your system, there is nothing built-in that can prevent all attack vectors
-
Shortcodes are a kind of macros for generating HTML. Shortcodes that don’t do more than that should generally be safe.
-
The biggest problem with shortcodes is that their insertion and “execution” do not depend on any capability check. If you have an exploitable shortcode, even a contributor will be able to abuse it.
So what to do? Especially if you are running a multi author site, avoid shortcodes that violate point 2, especially those that explicitly let you execute PHP code, and as always use themes and plugins only from respectable sources (unfortunately, popularity has almost nothing to do with being “respected”).