CVE-2026-1294 identifies a Server-Side Request Forgery (SSRF) vulnerability in the All In One Image Viewer Block plugin for WordPress, specifically in versions up to and including 1.0.2. This plugin provides a Gutenberg block to create image viewers with hyperlinks. The vulnerability stems from the image-proxy REST API endpoint lacking proper authorization checks and URL validation, allowing unauthenticated attackers to send arbitrary HTTP requests originating from the web server hosting the plugin. SSRF vulnerabilities enable attackers to interact with internal or protected network resources that are otherwise inaccessible externally, potentially leading to information disclosure, unauthorized data modification, or pivoting deeper into the network. The vulnerability affects all versions of the plugin, and no user interaction or authentication is required to exploit it. The CVSS 3.1 base score is 7.2 (high), with the vector indicating network attack vector, low attack complexity, no privileges required, no user interaction, and a scope change, with partial confidentiality and integrity impacts but no availability impact. Although no known exploits are currently reported in the wild, the vulnerability’s nature and ease of exploitation make it a significant risk. The plugin is widely used in WordPress environments, which are prevalent in many European organizations, including corporate websites, intranets, and public-facing portals. The SSRF can be leveraged to access internal services such as metadata endpoints, internal APIs, or administrative interfaces, potentially leading to data leakage or further exploitation. The lack of patch links indicates that a fix may not yet be publicly available, emphasizing the need for interim mitigations.

For European organizations, this SSRF vulnerability poses a substantial risk, especially for those relying on WordPress sites with the affected plugin installed. Exploitation can lead to unauthorized access to internal network resources, exposing sensitive information such as internal APIs, configuration data, or private databases. This can compromise confidentiality and integrity of data and may facilitate lateral movement within the network by attackers. Organizations with internal services accessible only from the web server are particularly vulnerable. The vulnerability could also be used to bypass network segmentation and firewall rules, undermining perimeter defenses. Given the widespread use of WordPress in Europe, including in government, healthcare, finance, and critical infrastructure sectors, the potential impact includes data breaches, service disruptions, and reputational damage. The absence of authentication and user interaction requirements increases the likelihood of automated exploitation attempts. Although no active exploits are known, the vulnerability’s characteristics suggest it could be targeted by attackers seeking to gain footholds in European networks.

1. Monitor the plugin vendor’s communications closely and apply security patches immediately once available. 2. Until a patch is released, disable or remove the All In One Image Viewer Block plugin from WordPress installations if feasible. 3. Implement strict network segmentation and firewall rules to restrict the web server’s ability to initiate outbound requests to internal services, minimizing SSRF impact. 4. Use web application firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the image-proxy endpoint. 5. Conduct thorough URL validation and authorization checks on any proxy or API endpoints to ensure only legitimate requests are processed. 6. Regularly audit WordPress plugins and their permissions to reduce attack surface. 7. Employ internal monitoring and logging to detect unusual outbound requests from web servers. 8. Educate administrators on the risks of SSRF and the importance of timely patching and plugin management. 9. Consider isolating WordPress environments in dedicated network segments with minimal access to sensitive internal resources.