The MimeTypes Link Icons plugin for WordPress, versions up to and including 3.2.20, contains a Server-Side Request Forgery (SSRF) vulnerability identified as CVE-2026-1313 (CWE-918). This vulnerability is triggered when the "Show file size" option is enabled, causing the plugin to perform outbound HTTP requests to URLs that are controlled by users without adequate validation or sanitization. An attacker with authenticated access at the Contributor level or above can craft malicious links within post content that cause the server to send HTTP requests to arbitrary destinations. This can be leveraged to access internal network resources that are otherwise inaccessible externally, potentially allowing attackers to gather sensitive information, interact with internal APIs, or modify internal data. The vulnerability affects all versions of the plugin up to 3.2.20 and has a CVSS v3.1 base score of 8.3, indicating high severity. The attack vector is network-based with low attack complexity and no user interaction required beyond authentication. The vulnerability scope is changed as it can impact resources beyond the vulnerable component. Although no exploits have been reported in the wild yet, the risk is significant given the common use of WordPress and this plugin in various organizations.

This SSRF vulnerability can have severe consequences for organizations using the MimeTypes Link Icons plugin. Attackers with Contributor-level access can exploit it to pivot into internal networks, bypassing perimeter defenses. This can lead to unauthorized disclosure of sensitive internal information, manipulation of internal services, and potential disruption of business-critical applications. The ability to send arbitrary requests from the server may also facilitate further attacks such as internal port scanning, exploitation of other internal vulnerabilities, or data exfiltration. Given WordPress's widespread use, organizations hosting sensitive or internal-only services behind their WordPress infrastructure are at particular risk. The vulnerability compromises confidentiality, integrity, and availability, potentially leading to data breaches, service outages, and reputational damage.

Organizations should immediately audit their use of the MimeTypes Link Icons plugin and disable the "Show file size" option until a secure patch is available. If possible, remove or replace the plugin with a secure alternative. Restrict Contributor-level user permissions and review user roles to minimize the risk of exploitation. Implement network segmentation and firewall rules to limit the WordPress server's ability to make outbound HTTP requests to internal services. Monitor logs for unusual outbound requests originating from the WordPress server. Employ Web Application Firewalls (WAFs) with rules to detect and block SSRF patterns. Stay alert for official patches or updates from the plugin vendor and apply them promptly once released. Conduct internal penetration testing to identify any exposure resulting from this vulnerability.