CVE-2025-12800 is a Server-Side Request Forgery (SSRF) vulnerability identified in the WP Shortcodes Plugin — Shortcodes Ultimate, a widely used WordPress plugin developed by gn_themes. The vulnerability exists in the su_shortcode_csv_table function and affects all versions up to and including 7.4.5. SSRF vulnerabilities allow attackers to induce the server-side application to make HTTP requests to arbitrary locations, potentially accessing internal or protected resources that are not directly accessible from the outside. In this case, exploitation requires the attacker to have authenticated access with Administrator-level privileges or higher. However, if the plugin's 'Unsafe features' option is explicitly enabled by an administrator, the attack surface expands to include users with Contributor-level access or above, significantly increasing risk. The vulnerability can be leveraged to query internal services, potentially exposing sensitive data or enabling modification of internal information. The CVSS v3.1 base score is 6.4 (medium severity), reflecting the network attack vector, low attack complexity, required privileges, no user interaction, and partial impact on confidentiality and integrity. There are no known public exploits or patches available at the time of publication. This vulnerability is particularly concerning for WordPress sites that rely on this plugin and have multiple user roles with elevated privileges. The SSRF can be used as a pivot point for further internal network reconnaissance or attacks, especially in environments with sensitive internal services accessible only from the web server.

The primary impact of CVE-2025-12800 is on the confidentiality and integrity of internal systems accessible from the vulnerable WordPress server. An attacker with Administrator privileges can exploit the SSRF to send crafted requests to internal services, potentially extracting sensitive data or manipulating internal APIs. If the 'Unsafe features' option is enabled, lower-privileged users (Contributor+) can also exploit the vulnerability, increasing the risk of insider threats or compromised accounts causing damage. While availability is not directly impacted, successful exploitation could facilitate lateral movement within the network or data exfiltration, leading to broader compromise. Organizations hosting WordPress sites with this plugin may face data breaches, unauthorized internal access, or defacement if attackers leverage this SSRF as part of a multi-stage attack. The vulnerability is particularly dangerous in environments where internal services are trusted and lack additional authentication or network segmentation. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers often develop exploits rapidly after disclosure.

To mitigate CVE-2025-12800, organizations should immediately update the WP Shortcodes Plugin — Shortcodes Ultimate to a patched version once available. Until a patch is released, administrators should disable the 'Unsafe features' option to prevent exploitation by lower-privileged users. Restrict WordPress user roles to the minimum necessary privileges, avoiding unnecessary Administrator or Contributor accounts. Implement strict network segmentation and firewall rules to limit the WordPress server's ability to access internal services. Monitor web server logs and internal service logs for unusual or unexpected requests originating from the WordPress server. Employ Web Application Firewalls (WAFs) with custom rules to detect and block SSRF patterns targeting internal IP ranges. Conduct regular audits of installed plugins and remove or replace those that are unmaintained or vulnerable. Educate site administrators about the risks of enabling unsafe features and the importance of applying security updates promptly.