CVE-2025-12800 is a Server-Side Request Forgery (SSRF) vulnerability in the WP Shortcodes Plugin — Shortcodes Ultimate for WordPress, affecting all versions up to 7.4.5. The flaw exists in the su_shortcode_csv_table function, allowing authenticated users with Administrator privileges to induce the application to make arbitrary HTTP requests to internal or external systems. When the plugin's 'Unsafe features' option is enabled by an administrator, this vulnerability extends to users with Contributor-level access or higher. This can lead to unauthorized querying and modification of internal services. The vulnerability is tracked as CWE-918 and has a CVSS 3.1 base score of 6.4 (medium severity). No known exploits in the wild have been reported, and no official patch or remediation information is currently provided.

An attacker with Administrator-level access can exploit this SSRF vulnerability to make arbitrary web requests from the server hosting the WordPress site, potentially accessing or modifying internal services that are not otherwise exposed. If the 'Unsafe features' option is enabled, attackers with Contributor-level access or higher can also exploit this vulnerability, broadening the threat scope. This could lead to unauthorized information disclosure or modification within internal networks. There is no indication of direct denial of service or remote code execution from this vulnerability. No known active exploitation has been reported.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict plugin usage to trusted administrators and avoid enabling the 'Unsafe features' option to limit the risk of exploitation by lower-privileged users. Monitor for updates from the vendor gn_themes regarding patches or official mitigations.