Overview
CVE-2025-12376 identifies a Server-Side Request Forgery (SSRF) vulnerability present in the Icon List Block – Add Icon-Based Lists with Custom Styles plugin for WordPress. This vulnerability affects all versions up to and including 1.2.1. Exploitation allows authenticated attackers with Subscriber-level access (or higher) to force the web application to make requests to arbitrary internal or external locations. While the response is limited to valid JSON objects, this can still be leveraged to gather sensitive information or interact with internal services.
Technical Details
The vulnerability lies within the fs_api_request function of the plugin. This function, intended for internal API requests, lacks proper input sanitization and validation, allowing attackers to control the destination of the server-side request. The flawed code is located in bplugins_sdk/inc/Base/FSActivate.php.
The specific code snippet vulnerable is related to how the target URL is constructed and passed to a function that initiates the HTTP request.
The relevant file can be inspected online at: plugins.trac.wordpress.org
CVSS Analysis
The vulnerability has a CVSS score of 6.4 (MEDIUM).
This score reflects the following factors:
- Attack Vector (AV): Network
- Attack Complexity (AC): Low
- Privileges Required (PR): Low (Subscriber)
- User Interaction (UI): None
- Scope (S): Changed
- Confidentiality Impact (C): Low
- Integrity Impact (I): Low
- Availability Impact (A): None
While the impact is limited due to only valid JSON responses being rendered, the ability to perform requests from the server opens up several attack vectors.
Possible Impact
Successful exploitation of this SSRF vulnerability could allow an attacker to:
- Scan internal network resources: An attacker can use the vulnerable function to probe for internal servers and services, potentially identifying sensitive information or vulnerable endpoints.
- Expose sensitive data: While limited to JSON responses, the attacker could potentially extract sensitive data from internal APIs that return JSON.
- Bypass firewalls and access control lists (ACLs): By making requests from the server, an attacker can potentially bypass firewall rules and ACLs that are in place to protect internal resources.
- Potentially manipulate internal services: If internal services accept JSON-based commands, an attacker might be able to manipulate them via the SSRF vulnerability.
Mitigation and Patch Steps
The primary mitigation is to update the Icon List Block plugin to a version greater than 1.2.1. The vulnerability has been addressed in a subsequent release. If an update is not available, consider temporarily disabling the plugin until a patched version is released.
Beyond patching, general security best practices should be followed:
- Regularly update all WordPress plugins and themes.
- Use a web application firewall (WAF) to detect and block malicious requests.
- Implement network segmentation to limit the impact of a successful compromise.