CVE-2025-12375 – This Server-Side Request Forgery (SSRF) vulnera... (How to Fix)

Q: What is the severity of CVE-2025-12375?

CVE-2025-12375 has a CVSS score of 6.4 (MEDIUM). This Server-Side Request Forgery (SSRF) vulnerability in the Printful Integration for WooCommerce WordPress plugin allows authenticated attackers with Contributor-level access or higher to make arbitrary web requests from the vulnerable server. Attackers can query and potentially modify internal services that shouldn't be accessible from external networks. All WordPress sites using this plugin up to version 2.2.11 are affected.

📋 TL;DR

This Server-Side Request Forgery (SSRF) vulnerability in the Printful Integration for WooCommerce WordPress plugin allows authenticated attackers with Contributor-level access or higher to make arbitrary web requests from the vulnerable server. Attackers can query and potentially modify internal services that shouldn't be accessible from external networks. All WordPress sites using this plugin up to version 2.2.11 are affected.

💻 Affected Systems

Products:

Printful Integration for WooCommerce WordPress plugin

Versions: All versions up to and including 2.2.11

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress with WooCommerce and the Printful plugin installed. The vulnerability is in the advanced size chart REST API endpoint.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could access internal services, steal sensitive data from internal APIs, perform port scanning of internal networks, or potentially achieve remote code execution by interacting with internal services that accept malicious input.

🟠

Likely Case

Information disclosure from internal services, reconnaissance of internal network structure, and potential data exfiltration from internal APIs accessible to the web server.

🟢

If Mitigated

Limited impact if internal services are properly segmented and hardened, with attackers only able to make requests but not access sensitive systems.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires Contributor-level WordPress access or higher. The vulnerability is in the download_url() function call with insufficient URL validation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.2.12 or later

Vendor Advisory: https://plugins.trac.wordpress.org/browser/printful-shipping-for-woocommerce

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Printful Integration for WooCommerce'. 4. Click 'Update Now' if available. 5. Alternatively, download latest version from WordPress plugin repository and manually update.

🔧 Temporary Workarounds

Disable vulnerable REST endpoint

all

Remove or restrict access to the advanced size chart REST API endpoint

Add to theme's functions.php or custom plugin: remove_action('rest_api_init', array($printful_rest_api, 'register_routes'));

Restrict user roles

all

Limit Contributor and higher roles to trusted users only

🧯 If You Can't Patch

Implement network segmentation to isolate the WordPress server from internal services
Deploy a web application firewall (WAF) with SSRF protection rules

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Printful Integration for WooCommerce → Version. If version is 2.2.11 or lower, you are vulnerable.

Check Version:

wp plugin list --name='Printful Integration for WooCommerce' --field=version

Verify Fix Applied:

After updating, verify plugin version shows 2.2.12 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual outbound HTTP requests from web server to internal IPs
Requests to /wp-json/printful/v1/advanced-size-chart with URL parameters
Multiple failed requests to internal services from web server IP

Network Indicators:

Web server making requests to internal IP ranges (10.x.x.x, 172.16.x.x, 192.168.x.x)
Unusual port scanning activity originating from web server

SIEM Query:

source="web_server_logs" AND (uri="/wp-json/printful/v1/advanced-size-chart" OR user_agent CONTAINS "WordPress") AND dest_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)

📊 Metadata

CVE ID: CVE-2025-12375

CVSS v3 Score: 6.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CWE: CWE-918

Published: February 19, 2026

Last Updated: February 19, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-12375, you might also want to check these: