CVE-2025-7369
BaseFortify
Publication date: 2025-07-21
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | shortcodes_ultimate | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the WP Shortcodes Ultimate plugin for WordPress is a Cross-Site Request Forgery (CSRF) issue affecting all versions up to and including 7.4.2. It occurs because the plugin's preview function lacks proper nonce validation, allowing unauthenticated attackers to execute arbitrary shortcodes by tricking a site administrator into clicking a malicious link. This can lead to unauthorized actions being performed on the site. Additionally, when combined with another vulnerability (CVE-2025-7354), it can result in Reflected Cross-Site Scripting (XSS).
How can this vulnerability impact me? :
This vulnerability can allow attackers to execute arbitrary shortcodes on your WordPress site without authentication by tricking an administrator into clicking a malicious link. This can lead to unauthorized actions being performed on your site, potentially compromising site integrity and security. In combination with another vulnerability (CVE-2025-7354), it can also enable Reflected Cross-Site Scripting attacks, which may allow attackers to execute malicious scripts in the context of your site, potentially leading to data theft, session hijacking, or other malicious activities.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if the WordPress site is running the Shortcodes Ultimate plugin version 7.4.2 or earlier, which is vulnerable to CSRF due to missing nonce validation on the preview function. You can check the plugin version via WordPress admin dashboard or by inspecting the plugin files. On the system, you can use commands to check the plugin version, for example: 1) Using WP-CLI: `wp plugin list --status=active` to list active plugins and their versions. 2) Checking the plugin's main file header for version info: `grep 'Version:' wp-content/plugins/shortcodes-ultimate/shortcodes-ultimate.php`. Additionally, monitoring for suspicious POST requests to the shortcode preview AJAX endpoint (if accessible) or unusual admin actions triggered without user interaction may indicate exploitation attempts. However, no specific detection commands for the CSRF attack itself are provided in the resources. [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Shortcodes Ultimate plugin to version 7.4.3 or later, as indicated by the changeset in Resource 1 which corresponds to the version after 7.4.2. Although the changeset does not explicitly describe the vulnerability fix, the update includes extensive security and functionality improvements. Until the update can be applied, restrict access to the WordPress admin area to trusted users only, avoid clicking on suspicious links, and consider disabling or limiting the shortcode preview functionality if possible. Implementing strict user capability checks and ensuring nonce validation in custom code can also help mitigate CSRF risks. [1]