Description
The B Carousel Block – Responsive Image and Content Carousel plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including, 1.1.5. This is due to the plugin not validating user-supplied URLs before passing them to the wp_remote_request() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Published: 2025-11-05
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery
Action: Update Plugin
AI Analysis

Impact

The Carousel Block plugin fails to validate user‑supplied URLs before passing them to wp_remote_request, allowing any authenticated user with subscriber level or higher to send arbitrary HTTP requests from the WordPress server. This can expose internal services or retrieve sensitive data, and also enables the attacker to modify internal resources or initiate further attacks. The weakness directly corresponds to CWE‑918.

Affected Systems

The vulnerability applies to the WordPress plugin B Carousel Block – Responsive Image and Content Carousel for versions up to and including 1.1.5. WordPress sites running any of these versions with the plugin installed are at risk whenever users possessing subscriber or higher roles can add or edit carousel blocks.

Risk and Exploitability

The CVSS score of 6.4 indicates moderate severity and the EPSS score of less than 1% suggests a low probability of exploitation; the vulnerability is not listed in the CISA KEV catalog. Because an attacker must first authenticate to the WordPress admin area as a subscriber or above, the attack surface is limited to privileged users. Once authenticated, the attacker can craft a carousel entry with a malicious URL, causing the server‑side wp_remote_request to reach arbitrary hosts—including internal network resources—without validation or redirection checks. This makes the issue straightforward to exploit in a controlled environment, but the low EPSS indicates active exploitation is currently uncommon.

Generated by OpenCVE AI on April 21, 2026 at 01:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Carousel Block plugin to a version newer than 1.1.5 where URL validation has been implemented.
  • If an upgrade is not immediately possible, deactivate or uninstall the plugin until a patched release is available.
  • As a temporary workaround, restrict outbound HTTP(S) requests from WordPress by configuring the wp_remote_request capability or using a security plugin or firewall to whitelist or block external calls.

Generated by OpenCVE AI on April 21, 2026 at 01:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 06 Nov 2025 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 05 Nov 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 05 Nov 2025 06:45:00 +0000

Type Values Removed Values Added
Description The B Carousel Block – Responsive Image and Content Carousel plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including, 1.1.5. This is due to the plugin not validating user-supplied URLs before passing them to the wp_remote_request() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Title B Carousel Block – Responsive Image and Content Carousel <= 1.1.5 - Missing Authorization to Authenticated (Subscriber+) Server-Side Request Forgery
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:23:27.070Z

Reserved: 2025-10-28T13:10:16.204Z

Link: CVE-2025-12388

cve-icon Vulnrichment

Updated: 2025-11-05T14:23:25.527Z

cve-icon NVD

Status : Deferred

Published: 2025-11-05T07:15:32.813

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12388

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T02:00:12Z

Weaknesses