The plugin does not validate the url attribute of its su_csv_table shortcode before making a request to it, which could allow any authenticated users, such as subscriber to perform SSRF attacks
CPE | Name | Operator | Version |
---|---|---|---|
shortcodes-ultimate | lt | 5.12.7 |