WordPress Plugin Vulnerabilities

Icon List Block – Add Icon-Based Lists with Custom Styles < 1.2.2 - Authenticated (Subscriber+) Server-Side Request Forgery

Description

The Icon List Block – Add Icon-Based Lists with Custom Styles plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.2.1 via the fs_api_request function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. Only valid JSON objects are rendered in the response.

Affects Plugins

Plugin icon
icon-list-block
Fixed in 1.2.2

References

CVE
CVE-2025-12376
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/438e2911-7663-44fe-883f-19ad29972aac

Classification

Type
SSRF
OWASP top 10
A1: Injection
CWE
CWE-918
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
Sushi Com Abacate
Verified
No
WPVDB ID
9e76d7f1-33ec-4eb3-9f03-e388992d1c08

Timeline

Publicly Published
2025-11-18 (about 5 months ago)
Added
2025-11-18 (about 5 months ago)
Last Updated
2025-11-18 (about 5 months ago)

Other

Published
Title
Published
2025-05-07
Title
WebinarPress <= 1.33.27 - Authenticated (Administrator+) Server-Side Request Forgery
Published
2018-01-20
Title
Google Forms <= 0.91 - Unauthenticated Server-Side Request Forgery (SSRF)
Published
2024-06-20
Title
WP Scraper < 5.8.1 - Authenticated (Subscriber+) Server-Side Request Forgery
Published
2022-02-28
Title
Formcraft3 < 3.8.28 - Unauthenticated SSRF
Published
2026-02-13
Title
Share This Image < 2.15 - Unauthenticated Server-Side Request Forgery