CVE-2026-1294 is a Server-Side Request Forgery (SSRF) vulnerability classified under CWE-918, found in the All In One Image Viewer Block plugin for WordPress, which is used to create image viewers with hyperlinks within the Gutenberg editor. The vulnerability affects all versions up to and including 1.0.2. It arises because the plugin’s image-proxy REST API endpoint does not enforce authorization checks nor validate URLs properly. This allows unauthenticated attackers to send crafted requests that the server then executes, effectively making the server perform arbitrary HTTP requests to internal or external systems. Such SSRF attacks can be leveraged to access internal services that are otherwise inaccessible externally, potentially exposing sensitive data or enabling further lateral movement within the network. The vulnerability has a CVSS 3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N), indicating network exploitable, no privileges or user interaction required, with low complexity and a scope change affecting confidentiality and integrity. Although no public exploits are known yet and no patches have been published, the risk is significant given the plugin’s widespread use in WordPress environments. The vulnerability was reserved on January 21, 2026, and published on February 5, 2026, by Wordfence.

The SSRF vulnerability in this WordPress plugin can have serious consequences for organizations worldwide. Attackers can exploit it to send unauthorized requests from the vulnerable web server to internal services, potentially bypassing firewalls and network segmentation. This can lead to unauthorized access to sensitive internal APIs, databases, or cloud metadata services, resulting in data leakage or unauthorized data modification. The integrity of internal systems can be compromised if attackers manipulate internal endpoints. Although availability impact is not directly indicated, the ability to query or modify internal services could facilitate further attacks that degrade service. Given WordPress’s extensive use globally, especially among small to medium businesses and content-driven websites, a large attack surface exists. The lack of authentication and user interaction requirements makes exploitation straightforward, increasing risk. Organizations relying on this plugin may face data breaches, compliance violations, and reputational damage if exploited.

Immediate mitigation steps include disabling or uninstalling the All In One Image Viewer Block plugin until a patch is available. If disabling is not feasible, organizations should restrict access to the REST API endpoints related to the plugin using web application firewalls (WAFs) or reverse proxies to block unauthorized requests. Network-level controls should be implemented to prevent the web server from making arbitrary outbound requests, especially to internal IP ranges or sensitive services. Monitoring and logging of outbound HTTP requests from the web server can help detect suspicious activity. Administrators should audit their WordPress installations for this plugin and update to a patched version once released. Additionally, applying the principle of least privilege to internal services and enforcing strong network segmentation can limit the impact of SSRF exploitation. Security teams should also review internal service authentication mechanisms to prevent unauthorized access even if SSRF is exploited.