Shortcodes Ultimate < 7.4.3 – Arbitrary Shortcode Execution via CSRF | CVE 2025-7369 | Plugin Vulnerabilities

Description

The plugin is vulnerable to Cross-Site Request Forgery due to missing or incorrect nonce validation on the preview function. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link.
In combination with CVE-2025-7354, it leads to Reflected Cross-Site Scripting.

Affects Plugins

shortcodes-ultimate

Fixed in 7.4.3

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/5934d1c8-1553-4908-aaab-89d2189eb4cd

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Dmitrii Ignatyev

Verified

No

WPVDB ID

46b0583f-5761-4738-b93c-0e0581aed737

Timeline

Publicly Published

2025-07-20 (about 9 months ago)

Added

2025-07-22 (about 9 months ago)

Last Updated

2025-07-22 (about 9 months ago)

Other

Published

Title

Published

2022-09-21

Title

WP Custom Cursors < 3.0.1 - Stored Cross-Site Scripting via CSRF

Published

2023-07-03

Title

Waitlist Woocommerce < 2.5.3 - Settings Reset via CSRF

Published

2025-09-29

Title

Chat by Chatwee <= 2.1.3 - Cross-Site Request Forgery to Settings Update

Published

2025-05-07

Title

Contribuinte Checkout < 2.0.04 - Stored XSS via CSRF

Published

2025-03-28

Title

NertWorks All in One Social Share Tools <= 1.26 - Cross-Site Request Forgery