CVE-2025-12962

Name of the Vulnerable Software and Affected Versions Local Syndication plugin for WordPress versions prior to 1.5a

Description The Local Syndication plugin for WordPress is susceptible to Server-Side Request Forgery (SSRF) in versions up to and including 1.5a. The issue stems from the use of wp remote get() instead of wp safe remote get(), which lacks safeguards against requests to internal or private IP addresses and localhost. This allows authenticated attackers with Contributor-level access or higher to make web requests to arbitrary locations from the web application. Exploitation can lead to querying and modifying information from internal services, scanning internal networks, and accessing resources that should not be externally accessible. The vulnerability is triggered through the url parameter within the [syndicate local] shortcode.

Recommendations Update the Local Syndication plugin to a version later than 1.5a.