Oxygen Theme WordPress Plugin Vulnerable to Server-Side Request Forgery (CVE-2025-12886)
The Oxygen Theme for WordPress is vulnerable to Server-Side Request Forgery (SSRF) in versions up to 6.0.8, allowing unauthenticated attackers to make arbitrary web requests via the laborator_calc_route AJAX action.
The Oxygen Theme WordPress plugin, versions 6.0.8 and earlier, contains a Server-Side Request Forgery (SSRF) vulnerability (CVE-2025-12886). This flaw allows unauthenticated attackers to send crafted requests to the WordPress server, potentially forcing it to make outbound connections to internal or external resources. The vulnerability is located within the laborator_calc_route AJAX action. By exploiting this, attackers can potentially access sensitive internal resources, bypass firewall…
Detection coverage 2
Oxygen Theme SSRF Detection
highDetects potential SSRF attempts via the laborator_calc_route AJAX action in the Oxygen Theme for WordPress.
Oxygen Theme SSRF Detection - Internal IP Address
criticalDetects potential SSRF attempts to access internal IP addresses via the laborator_calc_route AJAX action in the Oxygen Theme for WordPress.
Detection queries are kept inside the platform. Get full rules →