CVE-2025-12376
BaseFortify
Publication date: 2025-11-18
Last updated on: 2025-11-18
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | icon_list_block | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Server-Side Request Forgery (SSRF) in the Icon List Block WordPress plugin (versions up to 1.2.1). It allows authenticated users with Subscriber-level access or higher to make the web application send requests to arbitrary locations. This can be exploited to query and modify information from internal services. The vulnerability exists in the fs_api_request function and only valid JSON objects are rendered in the response.
How can this vulnerability impact me? :
An attacker with Subscriber-level access or above can exploit this vulnerability to make the web application send requests to internal or external systems, potentially accessing or modifying sensitive internal information. This could lead to unauthorized data exposure or manipulation within internal services, increasing the risk of data breaches or system compromise.