CVE-2025-12376 - Vulnerability Details

- Icon List Block – Add Icon-Based Lists with Custom Styles <= 1.2.1 - Authenticated (Subscriber+) Server-Side Request Forgery

Description

The Icon List Block – Add Icon-Based Lists with Custom Styles plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.2.1 via the fs_api_request function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. Only valid JSON objects are rendered in the response.

Published: 2025-11-18

Score: 6.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Icon List Block – Add Icon-Based Lists with Custom Styles plugin for WordPress contains a Server‑Side Request Forgery flaw. The vulnerable fs_api_request function permits authenticated users with Subscriber or higher privileges to send HTTP requests to arbitrary URLs from the host, allowing them to read from or manipulate internal network services. Because the response is filtered to only valid JSON, the attacker can still consume sensitive data or trigger actions on internal systems without immediate visible error.

Affected Systems

WordPress installations running any version of the Icon List Block plugin up to and including 1.2.1 are affected. The vulnerability exists in all checked releases of the plugin’s code base; any site that has not updated beyond 1.2.1 remains at risk.

Risk and Exploitability

The CVSS base score of 6.4 indicates a moderate severity, and the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The issue is not in the CISA KEV catalog. Nonetheless, exploitation requires only legitimate Subscriber‑level credentials, so the risk surface is limited to sites that grant such permissions. An attacker could use the flaw to exfiltrate internal data or alter services, manipulating the web application’s internal network view.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

bplugins

Icon List Block – Add Icon-Based Lists with Custom Styles

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.2.1

No data.

Vendor	Product	Confidence	Versions
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Icon List Block plugin to the latest release that removes the SSRF vulnerability.
If an update is not yet available, deactivate the fs_api_request feature by disabling the plugin or modifying its code to prevent outbound requests until a fix is released.
Employ an application or web‑server firewall to block outbound HTTP requests from the application to internal IP ranges or untrusted domains, mitigating potential exploitation.

Generated by OpenCVE AI on April 22, 2026 at 11:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00034.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/browser/icon-list-block/tags/1.2.0/bplugins_sdk/inc/Base/FSActivate.php#L168
https://www.wordfence.com/threat-intel/vulnerabilities/id/438e2911-7663-44fe-883f-19ad29972aac?source=cve

History

Thu, 20 Nov 2025 10:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wordpress Wordpress wordpress
Vendors & Products		Wordpress Wordpress wordpress

Tue, 18 Nov 2025 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 18 Nov 2025 14:30:00 +0000

Type	Values Removed	Values Added
Description		The Icon List Block – Add Icon-Based Lists with Custom Styles plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.2.1 via the fs_api_request function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. Only valid JSON objects are rendered in the response.
Title		Icon List Block – Add Icon-Based Lists with Custom Styles <= 1.2.1 - Authenticated (Subscriber+) Server-Side Request Forgery
Weaknesses		CWE-918
References		https://plugins.trac.wordpress.org/browser/icon-list-block/tags/1.2.0/bplugins_sdk/inc/Base/FSActivate.php#L168 https://www.wordfence.com/threat-intel/vulnerabilities/id/438e2911-7663-44fe-883f-19ad29972aac?source=cve
Metrics		cvssV3_1 `{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}`