Description
The Oxygen Theme theme for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.0.8 via the laborator_calc_route AJAX action. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Published: 2026-03-28
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery allowing unauthenticated attackers to trigger internal web requests
Action: Patch Now
AI Analysis

Impact

The Oxygen theme for WordPress is vulnerable to Server‑Side Request Forgery in all versions up to and including 6.0.8. The flaw resides in the laborator_calc_route AJAX action, which allows an attacker to issue arbitrary HTTP requests from the application. By exploiting this, a malicious actor can retrieve or alter data from internal network services, potentially exposing sensitive information or manipulating internal systems. This weakness matches CWE‑918.

Affected Systems

The affected products are the Laborator Oxygen WooCommerce WordPress Theme, all releases through version 6.0.8. Sites that have not upgraded beyond this point are susceptible. No additional vendor or product variants are listed.

Risk and Exploitability

The vulnerability scores 7.2 on the CVSS scale, indicating a high impact potential. No EPSS score is available and it is not listed in the CISA KEV catalog, but the lack of authentication required and the ability to reach internal resources make exploitation attractive. Attackers can trigger the SSRF through unauthenticated POST requests to the endpoint, with no additional conditions reported.

Generated by OpenCVE AI on March 28, 2026 at 05:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Oxygen theme to version 6.0.9 or newer.
  • If updating is not possible, disable or restrict access to the laborator_calc_route AJAX endpoint.
  • Monitor web application logs for unexpected outbound requests and investigate suspicious activity.

Generated by OpenCVE AI on March 28, 2026 at 05:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 28 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
Description The Oxygen Theme theme for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.0.8 via the laborator_calc_route AJAX action. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Title Oxygen <= 6.0.8 - Unauthenticated Server-Side Request Forgery via route_path
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-03-28T02:26:37.080Z

Reserved: 2025-11-07T17:25:24.963Z

Link: CVE-2025-12886

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-28T04:16:49.323

Modified: 2026-03-28T04:16:49.323

Link: CVE-2025-12886

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-29T20:32:43Z

Weaknesses