CVE-2026-1294
Published: 05 February 2026
Summary
CVE-2026-1294 is a high-severity SSRF (CWE-918) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 7.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-1294 is a Server-Side Request Forgery (SSRF) vulnerability, classified under CWE-918, affecting the All In One Image Viewer Block plugin for WordPress in all versions up to and including 1.0.2. The flaw arises from missing authorization checks and insufficient URL validation in the image-proxy REST API endpoint, allowing requests to arbitrary destinations without proper restrictions.
Unauthenticated attackers can exploit this vulnerability over the network with low attack complexity, no privileges, and no user interaction required, earning it a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N). Exploitation enables attackers to initiate web requests from the compromised web application server to arbitrary internal or external locations, potentially allowing them to query sensitive data or modify information on internal services unreachable directly from the internet.
Wordfence's threat intelligence page documents the vulnerability in detail, while the plugin's source code at line 10 of image-viewer-block.php in tag 1.0.2 exposes the lack of validation. Mitigation is addressed in WordPress plugin trac changeset 3449642, which patches the issue in version 1.0.3 by adding the necessary authorization and validation, recommending immediate updates to this or later versions for affected sites.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-5548
Vulnerability details
The All In One Image Viewer Block plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0.2 due to missing authorization and URL validation on the image-proxy REST API endpoint. This makes it…
more
possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF in public-facing WordPress plugin directly enables exploitation of the application to reach internal/external resources.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authorization checks on the image-proxy REST endpoint that the CVE shows are completely absent.
Requires validation of all input (including URLs) to the image-proxy endpoint, blocking the arbitrary-destination SSRF vector.
Boundary-protection mechanisms can restrict or monitor the plugin's outbound requests to internal or arbitrary destinations.