CVE-2025-12800 is a Server-Side Request Forgery (SSRF) vulnerability identified in the WP Shortcodes Plugin — Shortcodes Ultimate, a popular WordPress plugin developed by gn_themes. The vulnerability exists in the su_shortcode_csv_table function and affects all plugin versions up to and including 7.4.5. SSRF vulnerabilities allow attackers to induce the server-side application to make HTTP requests to arbitrary locations, including internal network resources that are otherwise inaccessible externally. In this case, exploitation requires the attacker to have authenticated access with Administrator privileges or higher. However, if the plugin's 'Unsafe features' option is enabled by an administrator, the attack surface expands to include users with Contributor-level privileges or above. The flaw enables attackers to query internal services, potentially exposing sensitive information or modifying internal data, thus impacting confidentiality and integrity. The vulnerability does not require user interaction and has a CVSS 3.1 base score of 6.4, reflecting medium severity with network attack vector, low attack complexity, and privileges required. No public exploits have been reported yet, but the vulnerability's presence in a widely used WordPress plugin makes it a significant concern. The SSRF can be leveraged to bypass network segmentation, access internal APIs, or conduct further attacks within the victim's infrastructure.

For European organizations, this vulnerability poses a risk of unauthorized internal network access and data manipulation through compromised WordPress installations using the affected plugin. Attackers with administrator access could exploit the SSRF to access internal services such as databases, metadata services, or internal APIs, potentially leading to data leakage or unauthorized changes. If the 'Unsafe features' option is enabled, lower-privileged users could escalate their impact, increasing the threat surface. This could result in exposure of sensitive corporate information, disruption of internal services, or foothold establishment for further attacks. Given the widespread use of WordPress in Europe for corporate websites, e-commerce, and public sector portals, exploitation could affect confidentiality and integrity of critical data. The vulnerability does not directly affect availability but could indirectly cause service disruptions if internal systems are manipulated. The medium severity score reflects a moderate but significant risk, especially in environments where internal network segmentation is weak or where multiple users have elevated WordPress privileges.

1. Immediately update the WP Shortcodes Plugin — Shortcodes Ultimate to a patched version once available; monitor vendor advisories for official patches. 2. Until patches are released, disable or restrict the 'Unsafe features' option to prevent Contributor-level users from exploiting the vulnerability. 3. Limit WordPress user privileges by enforcing the principle of least privilege, ensuring only trusted users have Administrator or Contributor roles. 4. Implement strict network segmentation and firewall rules to restrict WordPress server outbound HTTP requests, especially to internal services and sensitive endpoints. 5. Monitor WordPress logs and web server logs for unusual outbound requests originating from the plugin's functionality. 6. Employ Web Application Firewalls (WAFs) with rules to detect and block SSRF patterns targeting internal IP ranges. 7. Conduct regular security audits of WordPress plugins and user roles to identify and remediate risky configurations. 8. Educate administrators about the risks of enabling 'Unsafe features' and encourage disabling unnecessary plugin options that increase attack surface.