Server-Side Request Forgery Vulnerability in Shortcodes Ultimate Plugin by WordPress
CVE-2025-12800

6.4MEDIUM

Key Information:

Vendor: WordPress
Status: WP Shortcodes Plugin — Shortcodes Ultimate
Vendor: CVE Published:; 23 November 2025

What is CVE-2025-12800?

The Shortcodes Ultimate plugin for WordPress is vulnerable to a Server-Side Request Forgery (SSRF) attack that affects all versions up to and including 7.4.5. Authenticated users with Administrator-level access can exploit this vulnerability via the su_shortcode_csv_table function, allowing them to send requests to external resources from the web application. If the 'Unsafe features' option is activated by an administrator, even users with Contributor privileges can leverage this vulnerability to access and manipulate internal services, posing significant security risks.

Affected Version(s)

WP Shortcodes Plugin — Shortcodes Ultimate * <= 7.4.5

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3397946/

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 23, 2025
Vulnerability Reserved
Nov 6, 2025

Credit

GABRIEL GERALDINO DE SOUZA

JSON