{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12376", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-28T00:08:02.684Z", "datePublished": "2025-11-18T13:54:50.042Z", "dateUpdated": "2026-04-08T16:49:08.188Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:49:08.188Z"}, "affected": [{"vendor": "bplugins", "product": "Icon List Block \u2013 Add Icon-Based Lists with Custom Styles", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.2.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Icon List Block \u2013 Add Icon-Based Lists with Custom Styles plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.2.1 via the fs_api_request function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. Only valid JSON objects are rendered in the response."}], "title": "Icon List Block \u2013 Add Icon-Based Lists with Custom Styles <= 1.2.1 - Authenticated (Subscriber+) Server-Side Request Forgery", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/438e2911-7663-44fe-883f-19ad29972aac?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/icon-list-block/tags/1.2.0/bplugins_sdk/inc/Base/FSActivate.php#L168"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-918 Server-Side Request Forgery (SSRF)", "cweId": "CWE-918", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Sushi Com Abacate"}], "timeline": [{"time": "2025-10-16T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-10-28T00:23:39.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-11-18T01:11:17.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-18T14:30:21.716111Z", "id": "CVE-2025-12376", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-18T14:30:38.295Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12376", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-18T14:30:21.716111Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-18T14:30:31.990Z"}}], "cna": {"title": "Icon List Block \u2013 Add Icon-Based Lists with Custom Styles <= 1.2.1 - Authenticated (Subscriber+) Server-Side Request Forgery", "credits": [{"lang": "en", "type": "finder", "value": "Sushi Com Abacate"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "bplugins", "product": "Icon List Block \u2013 Add Icon-Based Lists with Custom Styles", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.2.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-16T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2025-10-28T00:23:39.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-11-18T01:11:17.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/438e2911-7663-44fe-883f-19ad29972aac?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/icon-list-block/tags/1.2.0/bplugins_sdk/inc/Base/FSActivate.php#L168"}], "descriptions": [{"lang": "en", "value": "The Icon List Block \u2013 Add Icon-Based Lists with Custom Styles plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.2.1 via the fs_api_request function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. Only valid JSON objects are rendered in the response."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918 Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:49:08.188Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12376", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:49:08.188Z", "dateReserved": "2025-10-28T00:08:02.684Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-18T13:54:50.042Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Icon List Block \u2013 Add Icon-Based Lists with Custom Styles plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.2.1 via the fs_api_request function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. Only valid JSON objects are rendered in the response."}], "id": "CVE-2025-12376", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-18T15:16:26.140", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/icon-list-block/tags/1.2.0/bplugins_sdk/inc/Base/FSActivate.php#L168"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/438e2911-7663-44fe-883f-19ad29972aac?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T11:42:29.014885+00:00", "value": {"mitigation_remediation": ["Update the Icon List Block plugin to the latest release that removes the SSRF vulnerability.", "If an update is not yet available, deactivate the fs_api_request feature by disabling the plugin or modifying its code to prevent outbound requests until a fix is released.", "Employ an application or web\u2011server firewall to block outbound HTTP requests from the application to internal IP ranges or untrusted domains, mitigating potential exploitation."], "summary": {"action": "Patch Now", "impact": "Server\u2011Side Request Forgery enabling internal requests"}, "threat_synthesis": {"affected_systems": "WordPress installations running any version of the Icon List Block plugin up to and including 1.2.1 are affected. The vulnerability exists in all checked releases of the plugin\u2019s code base; any site that has not updated beyond 1.2.1 remains at risk.", "description_and_impact": "The Icon List Block \u2013 Add Icon-Based Lists with Custom Styles plugin for WordPress contains a Server\u2011Side Request Forgery flaw. The vulnerable fs_api_request function permits authenticated users with Subscriber or higher privileges to send HTTP requests to arbitrary URLs from the host, allowing them to read from or manipulate internal network services. Because the response is filtered to only valid JSON, the attacker can still consume sensitive data or trigger actions on internal systems without immediate visible error.", "risk_and_exploitability": "The CVSS base score of 6.4 indicates a moderate severity, and the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The issue is not in the CISA KEV catalog. Nonetheless, exploitation requires only legitimate Subscriber\u2011level credentials, so the risk surface is limited to sites that grant such permissions. An attacker could use the flaw to exfiltrate internal data or alter services, manipulating the web application\u2019s internal network view."}}}}, "created": "2025-11-20T10:30:43.760589+00:00", "updated": "2026-04-22T12:00:05.913131+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}