WordPress Plugin Vulnerabilities

Shortcodes Ultimate < 7.4.6 - Admin+ SSRF

Description

The plugin is vulnerable to Server-Side Request Forgery via the su_shortcode_csv_table function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. If the 'Unsafe features' option is explicitly enabled by an administrator, this issue becomes exploitable by Contributor+ attackers

Affects Plugins

Plugin icon
shortcodes-ultimate
Fixed in 7.4.6

References

CVE
CVE-2025-12800
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/5cbb7db4-bef7-4799-9b65-ebe77976e21c

Classification

Type
SSRF
OWASP top 10
A1: Injection
CWE
CWE-918
CVSS
5.5 (medium)

Miscellaneous

Original Researcher
apolo2
Verified
No
WPVDB ID
5a379ba4-ba34-431a-b790-03295059120e

Timeline

Publicly Published
2025-11-23 (about 5 months ago)
Added
2025-11-24 (about 5 months ago)
Last Updated
2025-11-24 (about 5 months ago)

Other

Published
Title
Published
2026-04-10
Title
UsersWP < 1.2.59 - Authenticated (Subscriber+) Server-Side Request Forgery via 'uwp_crop' Parameter
Published
2026-03-14
Title
Coming Soon Page, Under Construction & Maintenance Mode by SeedProd < 6.19.9 - Editor+ Server-Side Request Forgery
Published
2025-11-18
Title
AI Engine < 3.1.9 - Authenticated (Editor+) Server-Side Request Forgery
Published
2025-08-14
Title
Simplified < 1.0.12 - Authenticated (Administrator+) Server-Side Request Forgery
Published
2026-01-05
Title
Xagio SEO < 7.1.0.31 - Authenticated (Subscriber+) Server-Side Request Forgery