Cyber Resilience

CVE-2026-1294

High

Published: 05 February 2026

Published
05 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
EPSS Score 0.0003 7.7th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-1294 is a high-severity SSRF (CWE-918) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 7.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-1294 is a Server-Side Request Forgery (SSRF) vulnerability, classified under CWE-918, affecting the All In One Image Viewer Block plugin for WordPress in all versions up to and including 1.0.2. The flaw arises from missing authorization checks and insufficient URL validation in the image-proxy REST API endpoint, allowing requests to arbitrary destinations without proper restrictions.

Unauthenticated attackers can exploit this vulnerability over the network with low attack complexity, no privileges, and no user interaction required, earning it a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N). Exploitation enables attackers to initiate web requests from the compromised web application server to arbitrary internal or external locations, potentially allowing them to query sensitive data or modify information on internal services unreachable directly from the internet.

Wordfence's threat intelligence page documents the vulnerability in detail, while the plugin's source code at line 10 of image-viewer-block.php in tag 1.0.2 exposes the lack of validation. Mitigation is addressed in WordPress plugin trac changeset 3449642, which patches the issue in version 1.0.3 by adding the necessary authorization and validation, recommending immediate updates to this or later versions for affected sites.

EU & UK References

Vulnerability details

The All In One Image Viewer Block plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0.2 due to missing authorization and URL validation on the image-proxy REST API endpoint. This makes it…

more

possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SSRF in public-facing WordPress plugin directly enables exploitation of the application to reach internal/external resources.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-6514Shared CWE-918
CVE-2026-44116Shared CWE-918
CVE-2026-21887Shared CWE-918
CVE-2026-31910Shared CWE-918
CVE-2026-48153Shared CWE-918
CVE-2026-45298Shared CWE-918
CVE-2026-39362Shared CWE-918
CVE-2026-31989Shared CWE-918
CVE-2025-27652Shared CWE-918
CVE-2026-42352Shared CWE-918

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authorization checks on the image-proxy REST endpoint that the CVE shows are completely absent.

prevent

Requires validation of all input (including URLs) to the image-proxy endpoint, blocking the arbitrary-destination SSRF vector.

prevent

Boundary-protection mechanisms can restrict or monitor the plugin's outbound requests to internal or arbitrary destinations.

References