Description
The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.4.5 via the su_shortcode_csv_table function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. If the 'Unsafe features' option is explicitly enabled by an administrator, this issue becomes exploitable by Contributor+ attackers
Published: 2025-11-23
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery with administrator‑level access
Action: Immediate Patch
AI Analysis

Impact

The WP Shortcodes Plugin – Shortcodes Ultimate contains a server‑side request forgery flaw in the su_shortcode_csv_table shortcode. The callable function accepts arbitrary URLs supplied by the user and retrieves them without proper filtering, allowing an attacker to direct the vulnerable WordPress instance to any network location. Because the misuse of the shortcode occurs only when a logged‑in user with Administrator or higher privileges (or Contributor visibility if the "Unsafe features" option is enabled) creates the shortcode, the integrity and confidentiality of internal or external services can be affected. The flaw is classified as CWE‑918.

Affected Systems

GN Themes distributes the WP Shortcodes Plugin – Shortcodes Ultimate for WordPress. All packaged releases through version 7.4.5 are affected; newer releases are not listed as vulnerable. The vulnerability applies exclusively to installations utilizing the affected plugin on a WordPress installation.

Risk and Exploitability

The CVSS score of 6.4 classifies the vulnerability as medium severity, yet the EPSS score of less than 1% indicates a low current exploitation likelihood. The flaw is not listed in the CISA KEV catalog, further reducing perceived widespread use. However, authenticated attackers with the required privilege level can request any internal network address from the server, facilitating data exfiltration or manipulation of internal services. If the "Unsafe features" setting is enabled, even users with Contributor or higher privileges can exploit the flaw, expanding the potential attack surface. Overall, the risk remains medium, but mitigation should occur promptly to prevent potential internal network exposure.

Generated by OpenCVE AI on April 22, 2026 at 00:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WP Shortcodes Plugin – Shortcodes Ultimate to version 7.4.6 or later to remove the SSRF flaw.
  • In the plugin settings, disable the "Unsafe features" option to prevent the flaw from being reachable by contributors or lower‑privileged roles.
  • Remove or restrict Administrator and Contributor accounts that are not required for normal operation, and enforce a least‑privilege model for all WordPress users.

Generated by OpenCVE AI on April 22, 2026 at 00:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 25 Nov 2025 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Gn Themes
Gn Themes wp Shortcodes Plugin
Wordpress
Wordpress wordpress
Vendors & Products Gn Themes
Gn Themes wp Shortcodes Plugin
Wordpress
Wordpress wordpress

Mon, 24 Nov 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 23 Nov 2025 22:45:00 +0000

Type Values Removed Values Added
Description The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.4.5 via the su_shortcode_csv_table function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. If the 'Unsafe features' option is explicitly enabled by an administrator, this issue becomes exploitable by Contributor+ attackers
Title WP Shortcodes Plugin — Shortcodes Ultimate <= 7.4.5 - Authenticated (Administrator+) Server-Side Request Forgery
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Gn Themes Wp Shortcodes Plugin
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:55:40.023Z

Reserved: 2025-11-06T12:02:44.591Z

Link: CVE-2025-12800

cve-icon Vulnrichment

Updated: 2025-11-24T17:19:39.758Z

cve-icon NVD

Status : Deferred

Published: 2025-11-23T23:15:45.983

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12800

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T00:30:04Z

Weaknesses