CVE-2025-7369 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the WP Shortcodes Plugin — Shortcodes Ultimate for WordPress, specifically all versions up to and including 7.4.2. The vulnerability arises from missing or incorrect nonce validation on the plugin's preview function, which is intended to allow users to preview shortcodes before publishing. Due to this improper validation, an unauthenticated attacker can craft a malicious request that, if executed by a site administrator (for example, by clicking a link), causes arbitrary shortcodes to be executed on the targeted WordPress site. This can lead to unauthorized actions being performed without the administrator's explicit consent. Furthermore, when combined with CVE-2025-7354, this CSRF vulnerability can facilitate reflected Cross-Site Scripting (XSS) attacks, increasing the potential impact by allowing script injection and execution in the context of the administrator's browser. The vulnerability has a CVSS 3.1 base score of 6.1, indicating a medium severity level. The attack vector is network-based, requires no privileges, but does require user interaction (the administrator must be tricked into clicking a malicious link). The scope is changed, meaning the vulnerability affects components beyond the initially vulnerable plugin, potentially impacting the broader WordPress environment. The impact on confidentiality and integrity is limited but non-negligible, as arbitrary shortcode execution could be leveraged to manipulate site content or settings. Availability is not impacted. No known exploits are currently reported in the wild, and no official patches have been linked yet. The vulnerability was publicly disclosed in July 2025.

For European organizations using WordPress sites with the WP Shortcodes Plugin — Shortcodes Ultimate, this vulnerability poses a moderate risk. Many European businesses, governmental agencies, and NGOs rely on WordPress for their web presence, and this plugin is popular for enhancing content with shortcodes. Successful exploitation could allow attackers to execute arbitrary shortcodes, potentially altering site content, injecting malicious scripts, or performing unauthorized administrative actions if combined with other vulnerabilities like CVE-2025-7354. This could lead to defacement, data leakage, or further compromise of the site and its users. Given the requirement for administrator interaction, social engineering is a key component, which may be easier in targeted attacks against high-value organizations. The reflected XSS possibility increases risk by enabling session hijacking or credential theft. The impact is particularly relevant for organizations handling sensitive data or providing critical services via their WordPress sites, as trust and data integrity could be compromised. However, the absence of known exploits in the wild and the medium severity score suggest the threat is serious but not critical at this time.

European organizations should immediately audit their WordPress installations to identify the presence of the WP Shortcodes Plugin — Shortcodes Ultimate and verify the version in use. Until an official patch is released, administrators should consider disabling the preview function or the entire plugin if feasible. Implementing Web Application Firewall (WAF) rules to detect and block suspicious requests targeting the preview function can reduce risk. Educate administrators about the dangers of clicking untrusted links, especially those that could trigger administrative actions. Employ Content Security Policy (CSP) headers to mitigate the impact of reflected XSS attacks. Regularly monitor WordPress plugin updates and apply patches promptly once available. Additionally, consider restricting administrative access by IP or using multi-factor authentication to reduce the risk of successful exploitation. Conduct security testing focused on shortcode execution and CSRF protections to identify and remediate similar weaknesses in custom or third-party plugins.