CVE-2023-23800: 
WordPress vulnerability analysis and mitigation

A Server-Side Request Forgery (SSRF) vulnerability was discovered in Vova Anokhin's WP Shortcodes Plugin — Shortcodes Ultimate, affecting versions through 5.12.6. The vulnerability was identified on February 8, 2023, and was assigned CVE-2023-23800. The plugin, which has over 700,000 active installations, provides multiple shortcode features for WordPress websites (Patchstack Advisory).

The vulnerability exists in the csvtable shortcode functionality where the code attempts to fetch arbitrary URLs using wpremote_get without proper URL validation. The issue allows authenticated users with a minimum Contributor role to forge requests to internal WordPress network services. The vulnerability received a CVSS v3.1 base score of 7.1 (High) from Patchstack and 6.5 (Medium) from NVD (NVD, WPScan).

The vulnerability could allow malicious actors to cause a website to execute requests to arbitrary domains and potentially access sensitive information from other services running on the system. This could lead to unauthorized access to internal resources and potential data exposure (Patchstack).

The vulnerability was patched in version 5.12.7 of the plugin. Users are strongly advised to update to this version or later. The fix implements wpsaferemoteget instead of wpremote_get to secure the process from request forgery. Additionally, Patchstack has issued a virtual patch to mitigate this issue by blocking attacks until users update to a fixed version (Patchstack Advisory).