CVE-2025-12800

Name of the Vulnerable Software and Affected Versions WP Shortcodes Plugin – Shortcodes Ultimate versions prior to 7.4.6

Description The Shortcodes Ultimate plugin for WordPress is susceptible to Server-Side Request Forgery (SSRF). This allows authenticated attackers with Administrator-level access, and potentially Contributor-level access if 'Unsafe features' are enabled, to make web requests to arbitrary locations from the web application. This could allow querying and modification of information from internal services via the su shortcode csv table function.

Recommendations Update to version 7.4.6 or later. If unable to update, disable the 'Unsafe features' option. Restrict access to users with appropriate permissions.