Server-Side Request Forgery in Oxygen Theme for WordPress
CVE-2025-12886

7.2HIGH

Key Information:

Vendor: WordPress
Status: Oxygen - WooCommerce WordPress Theme
Vendor: CVE Published:; 28 March 2026

What is CVE-2025-12886?

The Oxygen Theme for WordPress has a vulnerability that permits Server-Side Request Forgery, affecting all versions up to and including 6.0.8. Through the laborator_calc_route AJAX action, unauthenticated attackers can exploit this vulnerability to initiate web requests to arbitrary locations from the web application. This exploit could allow for unauthorized querying and modification of data from internal services, posing a significant security risk for users.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Oxygen - WooCommerce WordPress Theme * <= 6.0.8

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://documentation.laborator.co/kb/oxygen/oxygen-relea...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 28, 2026
Vulnerability Reserved
Nov 7, 2025

Credit

Ahmed Rayen Ayari

JSON

WordPress