CVE-2022-1398
Published: 16 May 2022
Summary
CVE-2022-1398 is a medium-severity SSRF (CWE-918) vulnerability in External Media Without Import Project External Media Without Import. Its CVSS base score is 6.5 (Medium).
Operationally, ranked in the top 3.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The External Media without Import WordPress plugin through version 1.1.2 is affected by CVE-2022-1398, a server-side request forgery issue (CWE-918) with a CVSS 3.1 base score of 6.5. The root cause is the absence of any authorization checks combined with a lack of validation that media URLs supplied by users actually reference external resources.
Any authenticated user, including those limited to the subscriber role, can exploit the flaw over the network to perform blind SSRF attacks. Successful exploitation allows the attacker to force the WordPress server to issue HTTP requests to arbitrary internal or external destinations, resulting in high-impact disclosure of otherwise inaccessible information.
The EPSS probability for this CVE rose from a low baseline to a peak of 0.5463 on 2026-03-27 before receding to its current value of 0.2935, indicating that exploitation interest emerged after public disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-24714
Vulnerability details
The External Media without Import WordPress plugin through 1.1.2 does not have any authorisation and does to ensure that medias added via URLs are external medias, which could allow any authenticated users, such as subscriber to perform blind SSRF attacks
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing attempts server-side requests to internal resources, identifying SSRF weaknesses for remediation.
Outbound connections to external resources can be monitored and limited at the boundary, reducing SSRF impact.
Validates server-side URLs and resource references to block SSRF attempts.
Detects server-side request forgery through monitoring of unexpected outbound connections.