{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12388", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-28T13:10:16.204Z", "datePublished": "2025-11-05T06:35:01.390Z", "dateUpdated": "2026-04-08T17:23:27.070Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:23:27.070Z"}, "affected": [{"vendor": "bplugins", "product": "Carousel Block \u2013 Responsive Image and Content Carousel", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.1.5", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The B Carousel Block \u2013 Responsive Image and Content Carousel plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including, 1.1.5. This is due to the plugin not validating user-supplied URLs before passing them to the wp_remote_request() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services."}], "title": "B Carousel Block \u2013 Responsive Image and Content Carousel <= 1.1.5 - Missing Authorization to Authenticated (Subscriber+) Server-Side Request Forgery", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cb5ca73c-1a1d-4a93-bbcb-8af606189f26?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3387643/b-carousel-block"}, {"url": "https://plugins.trac.wordpress.org/changeset/3388271/b-carousel-block"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-918 Server-Side Request Forgery (SSRF)", "cweId": "CWE-918", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Sushi Com Abacate"}], "timeline": [{"time": "2025-10-16T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-10-28T13:25:50.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-11-04T17:38:53.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-05T14:23:20.515546Z", "id": "CVE-2025-12388", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-05T14:23:30.683Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12388", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-05T14:23:20.515546Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-05T14:23:25.527Z"}}], "cna": {"title": "B Carousel Block \u2013 Responsive Image and Content Carousel <= 1.1.5 - Missing Authorization to Authenticated (Subscriber+) Server-Side Request Forgery", "credits": [{"lang": "en", "type": "finder", "value": "Sushi Com Abacate"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "bplugins", "product": "Carousel Block \u2013 Responsive Image and Content Carousel", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.1.5"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-16T00:00:00.000+00:00", "value": "Discovered"}, {"lang": "en", "time": "2025-10-28T13:25:50.000+00:00", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-11-04T17:38:53.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cb5ca73c-1a1d-4a93-bbcb-8af606189f26?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3387643/b-carousel-block"}, {"url": "https://plugins.trac.wordpress.org/changeset/3388271/b-carousel-block"}], "descriptions": [{"lang": "en", "value": "The B Carousel Block \u2013 Responsive Image and Content Carousel plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including, 1.1.5. This is due to the plugin not validating user-supplied URLs before passing them to the wp_remote_request() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918 Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-11-05T06:35:01.390Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12388", "state": "PUBLISHED", "dateUpdated": "2025-11-05T14:23:30.683Z", "dateReserved": "2025-10-28T13:10:16.204Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-05T06:35:01.390Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The B Carousel Block \u2013 Responsive Image and Content Carousel plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including, 1.1.5. This is due to the plugin not validating user-supplied URLs before passing them to the wp_remote_request() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services."}], "id": "CVE-2025-12388", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-05T07:15:32.813", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3387643/b-carousel-block"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3388271/b-carousel-block"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cb5ca73c-1a1d-4a93-bbcb-8af606189f26?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T01:51:15.692247+00:00", "value": {"mitigation_remediation": ["Upgrade the Carousel Block plugin to a version newer than\u00a01.1.5 where URL validation has been implemented.", "If an upgrade is not immediately possible, deactivate or uninstall the plugin until a patched release is available.", "As a temporary workaround, restrict outbound HTTP(S) requests from WordPress by configuring the wp_remote_request capability or using a security plugin or firewall to whitelist or block external calls."], "summary": {"action": "Update Plugin", "impact": "Server\u2011Side Request Forgery"}, "threat_synthesis": {"affected_systems": "The vulnerability applies to the WordPress plugin B Carousel Block \u2013 Responsive Image and Content Carousel for versions up to and including 1.1.5. WordPress sites running any of these versions with the plugin installed are at risk whenever users possessing subscriber or higher roles can add or edit carousel blocks.", "description_and_impact": "The Carousel Block plugin fails to validate user\u2011supplied URLs before passing them to wp_remote_request, allowing any authenticated user with subscriber level or higher to send arbitrary HTTP requests from the WordPress server. This can expose internal services or retrieve sensitive data, and also enables the attacker to modify internal resources or initiate further attacks. The weakness directly corresponds to CWE\u2011918.", "risk_and_exploitability": "The CVSS score of 6.4 indicates moderate severity and the EPSS score of less than\u00a01% suggests a low probability of exploitation; the vulnerability is not listed in the CISA KEV catalog. Because an attacker must first authenticate to the WordPress admin area as a subscriber or above, the attack surface is limited to privileged users. Once authenticated, the attacker can craft a carousel entry with a malicious URL, causing the server\u2011side wp_remote_request to reach arbitrary hosts\u2014including internal network resources\u2014without validation or redirection checks. This makes the issue straightforward to exploit in a controlled environment, but the low EPSS indicates active exploitation is currently uncommon."}}}}, "created": "2025-11-06T10:07:15.541389+00:00", "updated": "2026-04-21T02:00:12.290796+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}