{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12886", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-07T17:25:24.963Z", "datePublished": "2026-03-28T02:26:37.080Z", "dateUpdated": "2026-03-30T14:53:49.448Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-03-28T02:26:37.080Z"}, "affected": [{"vendor": "Laborator", "product": "Oxygen - WooCommerce WordPress Theme", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "6.0.8", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Oxygen Theme theme for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.0.8 via the laborator_calc_route AJAX action. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services."}], "title": "Oxygen <= 6.0.8 - Unauthenticated Server-Side Request Forgery via route_path", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8c83f430-8a4d-40fa-890c-387c787a3b55?source=cve"}, {"url": "https://documentation.laborator.co/kb/oxygen/oxygen-release-notes/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-918 Server-Side Request Forgery (SSRF)", "cweId": "CWE-918", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "baseScore": 7.2, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Ahmed Rayen Ayari"}], "timeline": [{"time": "2026-03-27T14:05:45.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-30T13:15:35.819105Z", "id": "CVE-2025-12886", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T14:53:49.448Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12886", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-30T13:15:35.819105Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T13:16:04.543Z"}}], "cna": {"title": "Oxygen <= 6.0.8 - Unauthenticated Server-Side Request Forgery via route_path", "credits": [{"lang": "en", "type": "finder", "value": "Ahmed Rayen Ayari"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.2, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "Laborator", "product": "Oxygen - WooCommerce WordPress Theme", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "6.0.8"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-27T14:05:45.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8c83f430-8a4d-40fa-890c-387c787a3b55?source=cve"}, {"url": "https://documentation.laborator.co/kb/oxygen/oxygen-release-notes/"}], "descriptions": [{"lang": "en", "value": "The Oxygen Theme theme for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.0.8 via the laborator_calc_route AJAX action. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918 Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-03-28T02:26:37.080Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12886", "state": "PUBLISHED", "dateUpdated": "2026-03-30T14:53:49.448Z", "dateReserved": "2025-11-07T17:25:24.963Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-28T02:26:37.080Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Oxygen Theme theme for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.0.8 via the laborator_calc_route AJAX action. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services."}], "id": "CVE-2025-12886", "lastModified": "2026-03-30T13:26:07.647", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-03-28T04:16:49.323", "references": [{"source": "security@wordfence.com", "url": "https://documentation.laborator.co/kb/oxygen/oxygen-release-notes/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8c83f430-8a4d-40fa-890c-387c787a3b55?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,6.0.8]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Oxygen - WooCommerce WordPress Theme", "source": "cna", "vendor": "Laborator"}, "product": "oxygen_-_woocommerce_wordpress_theme", "vendor": "laborator"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-28T05:08:32.255475+00:00", "value": {"mitigation_remediation": ["Update the Oxygen theme to version 6.0.9 or newer.", "If updating is not possible, disable or restrict access to the laborator_calc_route AJAX endpoint.", "Monitor web application logs for unexpected outbound requests and investigate suspicious activity."], "summary": {"action": "Patch Now", "impact": "Server\u2011Side Request Forgery allowing unauthenticated attackers to trigger internal web requests"}, "threat_synthesis": {"affected_systems": "The affected products are the Laborator Oxygen WooCommerce WordPress Theme, all releases through version 6.0.8. Sites that have not upgraded beyond this point are susceptible. No additional vendor or product variants are listed.", "description_and_impact": "The Oxygen theme for WordPress is vulnerable to Server\u2011Side Request Forgery in all versions up to and including 6.0.8. The flaw resides in the laborator_calc_route AJAX action, which allows an attacker to issue arbitrary HTTP requests from the application. By exploiting this, a malicious actor can retrieve or alter data from internal network services, potentially exposing sensitive information or manipulating internal systems. This weakness matches CWE\u2011918.", "risk_and_exploitability": "The vulnerability scores 7.2 on the CVSS scale, indicating a high impact potential. No EPSS score is available and it is not listed in the CISA KEV catalog, but the lack of authentication required and the ability to reach internal resources make exploitation attractive. Attackers can trigger the SSRF through unauthenticated POST requests to the endpoint, with no additional conditions reported."}}}}, "created": "2026-03-29T20:32:43.185753+00:00", "updated": "2026-03-30T06:59:51.733005+00:00", "vendors": ["laborator", "laborator$PRODUCT$oxygen_-_woocommerce_wordpress_theme", "wordpress", "wordpress$PRODUCT$wordpress"]}