CVE-2025-12886
Received Received - Intake
Server-Side Request Forgery in Oxygen Theme ≀ 6.0.8 Allows Internal Access

Publication date: 2026-03-28

Last updated on: 2026-03-28

Assigner: Wordfence

Description
The Oxygen Theme theme for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.0.8 via the laborator_calc_route AJAX action. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-28
Last Modified
2026-03-28
Generated
2026-06-16
AI Q&A
2026-03-28
EPSS Evaluated
2026-06-15
NVD
CVE-2025-12886
EUVD
EUVD-2025-209108
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
laborator oxygen_theme to 6.0.8 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Oxygen Theme for WordPress, up to and including version 6.0.8, contains a Server-Side Request Forgery (SSRF) vulnerability via the laborator_calc_route AJAX action.

This vulnerability allows unauthenticated attackers to make web requests to arbitrary locations from the web application.

Attackers can use this to query and modify information from internal services that the web application can access.

Impact Analysis

This vulnerability can be exploited by unauthenticated attackers to send requests from the vulnerable web application to arbitrary internal or external locations.

As a result, attackers may be able to access, query, or modify sensitive information from internal services that are not normally exposed to the internet.

This can lead to information disclosure and integrity issues within the affected environment.

Compliance Impact

The Oxygen Theme vulnerability allows unauthenticated attackers to perform Server-Side Request Forgery (SSRF), enabling them to make web requests to arbitrary locations from the web application and potentially query and modify information from internal services.

Such unauthorized access and potential modification of internal data could lead to breaches of confidentiality and integrity, which are critical aspects of compliance with standards like GDPR and HIPAA.

Therefore, exploitation of this vulnerability may result in non-compliance with data protection regulations that require safeguarding personal and sensitive information against unauthorized access and modification.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-12886. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart