Icon List Block – Add Icon-Based Lists with Custom Styles

6.4 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Description

The Icon List Block – Add Icon-Based Lists with Custom Styles plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.2.1 via the fs_api_request function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. Only valid JSON objects are rendered in the response.

Basic Information

ID CVE-2025-12376

Source Wordfence

Published Nov 18, 2025 at 13:54

Modified Nov 18, 2025 at 14:30

Affected Product

Vendor bplugins

Product Icon List Block – Add Icon-Based Lists with Custom Styles

Version *

Affected Versions bplugins Icon List Block – Add Icon-Based Lists with Custom Styles *

CWE Classification

CWE-918

References

{
    "lastseen": "",
    "description": "The Icon List Block \u2013 Add Icon-Based Lists with Custom Styles plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.2.1 via the fs_api_request function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. Only valid JSON objects are rendered in the response.",
    "published": "2025-11-18T13:54:50.042Z",
    "modified": "2025-11-18T14:30:38.295Z",
    "type": "cve",
    "title": "Icon List Block \u2013 Add Icon-Based Lists with Custom Styles <= 1.2.1 - Authenticated (Subscriber+) Server-Side Request Forgery",
    "source": "Wordfence",
    "references": "https://www.wordfence.com/threat-intel/vulnerabilities/id/438e2911-7663-44fe-883f-19ad29972aac?source=cve\nhttps://plugins.trac.wordpress.org/browser/icon-list-block/tags/1.2.0/bplugins_sdk/inc/Base/FSActivate.php#L168",
    "id": "CVE-2025-12376",
    "bulletinFamily": "",
    "cwe": [
        "CWE-918"
    ],
    "cvelist": null,
    "sourceData": "bplugins Icon List Block \u2013 Add Icon-Based Lists with Custom Styles *",
    "sourceHref": "",
    "cvss": {
        "score": 6.4,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Icon List Block \u2013 Add Icon-Based Lists with Custom Styles",
    "version": "*",
    "vendor": "bplugins",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Icon List Block – Add Icon-Based Lists with Custom Styles <= 1.2.1 - Authenticated (Subscriber+) Server-Side Request Forgery_CVE-2025-12376