Server-Side Request Forgery in WordPress Icon List Block Plugin
CVE-2025-12376

6.4MEDIUM

Key Information:

Vendor

WordPress
Status
Icon List Block – Add Icon-based Lists With Custom Styles
Vendor
CVE Published:
18 November 2025

What is CVE-2025-12376?

The Icon List Block Plugin for WordPress is affected by a vulnerability that allows authenticated users with Subscriber-level access and above to send unauthorized requests to external services. This issue stems from the fs_api_request function, which processes web requests without proper validation, enabling attackers to interact with internal services. The response only renders valid JSON objects, but the potential for information disclosure or modification remains a significant concern for users operating versions up to 1.2.1.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Icon List Block – Add Icon-Based Lists with Custom Styles * <= 1.2.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/icon-list-bloc...

CVSS V3.1

Score:
6.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Sushi Com Abacate
JSON
.