{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12560", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-31T18:01:44.334Z", "datePublished": "2025-11-06T05:31:24.932Z", "dateUpdated": "2026-04-08T16:44:27.427Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:44:27.427Z"}, "affected": [{"vendor": "pr-gateway", "product": "Blog2Social: Social Media Auto Post & Scheduler", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "8.6.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 8.6.0 via the getFullContent() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services."}], "title": "Blog2Social: Social Media Auto Post & Scheduler <= 8.6.0 - Authenticated (Subscriber+) Blind Server-Side Request Forgery via post_url", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2ea06520-d7a9-49bb-812e-2fa2e50d0ec2?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3389636/blog2social"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-918 Server-Side Request Forgery (SSRF)", "cweId": "CWE-918", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "LionTree"}], "timeline": [{"time": "2025-10-31T18:17:50.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-11-05T17:30:36.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-06T15:40:45.427228Z", "id": "CVE-2025-12560", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-06T15:40:57.868Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12560", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-06T15:40:45.427228Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-06T15:40:54.557Z"}}], "cna": {"title": "Blog2Social: Social Media Auto Post & Scheduler <= 8.6.0 - Authenticated (Subscriber+) Blind Server-Side Request Forgery via post_url", "credits": [{"lang": "en", "type": "finder", "value": "LionTree"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "pr-gateway", "product": "Blog2Social: Social Media Auto Post & Scheduler", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "8.6.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-31T18:17:50.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-11-05T17:30:36.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2ea06520-d7a9-49bb-812e-2fa2e50d0ec2?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3389636/blog2social"}], "descriptions": [{"lang": "en", "value": "The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 8.6.0 via the getFullContent() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918 Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:44:27.427Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12560", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:44:27.427Z", "dateReserved": "2025-10-31T18:01:44.334Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-06T05:31:24.932Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 8.6.0 via the getFullContent() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services."}], "id": "CVE-2025-12560", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2025-11-06T06:15:44.340", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3389636/blog2social"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2ea06520-d7a9-49bb-812e-2fa2e50d0ec2?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T21:18:11.685563+00:00", "value": {"mitigation_remediation": ["Update the Blog2Social plugin to the latest release that removes the SSRF issue.\n", "If the plugin is not needed, uninstall or disable it entirely.\n", "Apply the principle of least privilege by removing Subscriber access or restricting those roles from performing actions that load external content until the patch is applied."], "summary": {"action": "Patch Now", "impact": "Authenticated Server\u2011Side Request Forgery"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all releases of the Blog2Social: Social Media Auto Post & Scheduler plugin up to and including version 8.6.0. Users running those versions on any WordPress installation are potentially impacted.\n", "description_and_impact": "The Blog2Social plugin for WordPress contains a blind Server\u2011Side Request Forgery vulnerability that can be triggered via the getFullContent() function. Authenticated users with Subscriber or higher privileges can make the application issue HTTP requests to arbitrary URLs, enabling them to probe and potentially manipulate internal network resources. The flaw permits the attacker to read or modify data on internal services, compromising data confidentiality and integrity.\n", "risk_and_exploitability": "The CVSS base score of 4.3 indicates moderate severity; the EPSS score of less than 1% suggests a very low current exploitation probability. The flaw is not listed in the CISA KEV catalog. Exploitation requires the attacker to log in with at least Subscriber level privileges and to craft a request targeting the vulnerable function. If internal services are reachable from the server, the vulnerability can be used to exfiltrate data or perform unauthorized actions, but the lack of public exploitation data and the low EPSS score mitigate immediate risk.\n"}}}}, "created": "2025-11-06T10:06:44.452336+00:00", "updated": "2026-04-22T21:30:27.815332+00:00", "vendors": ["blog2social", "blog2social$PRODUCT$blog2social", "wordpress", "wordpress$PRODUCT$wordpress"]}