CVE-2025-12800 is a Server-Side Request Forgery (SSRF) vulnerability identified in the WP Shortcodes Plugin — Shortcodes Ultimate, a popular WordPress plugin developed by gn_themes. The vulnerability exists in the su_shortcode_csv_table function and affects all plugin versions up to and including 7.4.5. SSRF vulnerabilities allow attackers to abuse the server to send crafted HTTP requests to arbitrary locations, including internal network services that are otherwise inaccessible externally. In this case, exploitation requires the attacker to have authenticated access with Administrator privileges, enabling them to leverage the vulnerability to query or modify internal services. Notably, if the plugin's 'Unsafe features' option is explicitly enabled by an administrator, the attack surface expands to include users with Contributor-level access or higher, lowering the barrier for exploitation. The vulnerability does not require user interaction and has a CVSS 3.1 base score of 6.4, reflecting a medium severity with a vector indicating network attack vector, low attack complexity, privileges required, no user interaction, and partial impact on confidentiality and integrity but no impact on availability. No public exploits have been reported yet, but the vulnerability poses a risk of internal network reconnaissance, data leakage, or unauthorized modification of internal services. The plugin is widely used in WordPress environments, which are prevalent across many European organizations, especially those relying on WordPress for content management and web presence.

For European organizations, this vulnerability could lead to unauthorized internal network scanning, data exfiltration, or manipulation of internal services if exploited. Since the vulnerability requires at least Administrator-level access (or Contributor-level if unsafe features are enabled), the risk is primarily from insider threats or compromised credentials. Exploitation could allow attackers to bypass perimeter defenses by leveraging the web server as a proxy to access internal resources, potentially exposing sensitive data or disrupting internal operations. Organizations with complex internal networks or sensitive internal APIs are at higher risk. The impact on confidentiality and integrity is moderate, with no direct availability impact. Given the widespread use of WordPress and this plugin in Europe, especially in sectors like media, education, and small to medium enterprises, the vulnerability could be leveraged to gain footholds or pivot within networks. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits following public disclosure.

1. Immediately update the WP Shortcodes Plugin — Shortcodes Ultimate to a patched version once available; if no patch exists yet, consider disabling or removing the plugin temporarily. 2. Restrict plugin usage to trusted administrators only and audit user roles to ensure no unnecessary users have Administrator or Contributor privileges, especially if 'Unsafe features' are enabled. 3. Disable the 'Unsafe features' option in the plugin settings to reduce the attack surface. 4. Implement strict network segmentation and firewall rules to limit the web server's ability to make outbound requests to internal services, effectively containing potential SSRF exploitation. 5. Monitor web server logs and internal service access logs for unusual or unexpected requests originating from the WordPress server. 6. Employ Web Application Firewalls (WAFs) with rules to detect and block SSRF patterns or suspicious internal requests. 7. Conduct regular security audits and penetration tests focusing on WordPress environments and plugins to identify similar vulnerabilities. 8. Educate administrators and contributors about the risks of enabling unsafe plugin features and the importance of strong credential management.