CVE-2025-12800
BaseFortify
Publication date: 2025-11-23
Last updated on: 2025-11-23
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordfence | wp_shortcodes_plugin | * |
| wordfence | shortcodes_ultimate | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The WP Shortcodes Plugin β Shortcodes Ultimate plugin for WordPress has a Server-Side Request Forgery (SSRF) vulnerability in all versions up to and including 7.4.5 via the su_shortcode_csv_table function. This vulnerability allows authenticated attackers with Administrator-level access or higher to make web requests to arbitrary locations from the web application. If the 'Unsafe features' option is enabled by an administrator, attackers with Contributor-level access or higher can also exploit this issue.
How can this vulnerability impact me? :
This vulnerability can allow attackers with sufficient access to make unauthorized web requests from the server to arbitrary locations, potentially enabling them to query and modify information from internal services. This could lead to unauthorized data access or manipulation within the internal network.