Cyber Resilience

CVE-2026-1313

High

Published: 21 March 2026

Published
21 March 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v3.1 8.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
EPSS Score 0.0032 23.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-1313 is a high-severity SSRF (CWE-918) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-1313 is a Server-Side Request Forgery (SSRF) vulnerability, classified under CWE-918, affecting the MimeTypes Link Icons plugin for WordPress in all versions up to and including 3.2.20. The issue arises when the "Show file size" option is enabled, as the plugin makes outbound HTTP requests to user-controlled URLs without proper validation. This flaw has a CVSS v3.1 base score of 8.3 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L) and was published on 2026-03-21.

Authenticated attackers with Contributor-level access or higher can exploit this vulnerability by embedding crafted links in post content. These links trick the plugin into initiating web requests from the server to arbitrary locations, potentially allowing attackers to query or modify information from internal services that are not directly accessible from the internet.

Advisories and references, including the Wordfence threat intelligence page and specific code locations in the plugin's source at lines 1612 and 1666 of mime_type_link_images.php (tags/3.2.20), provide details on the vulnerable implementation but do not specify patches or mitigations in the available information. Security practitioners should review these resources for updates and consider disabling the affected plugin or the "Show file size" option until remediation is confirmed.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The MimeTypes Link Icons plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.2.20. This is due to the plugin making outbound HTTP requests to user-controlled URLs without proper validation when the "Show…

more

file size" option is enabled. This makes it possible for authenticated attackers, with Contributor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services via crafted links in post content.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SSRF in public-facing WordPress plugin directly enables exploitation of a web application vulnerability for internal service interaction.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-13195Shared CWE-918
CVE-2026-5052Shared CWE-918
CVE-2025-58045Shared CWE-918
CVE-2025-69299Shared CWE-918
CVE-2026-42398Shared CWE-918
CVE-2026-7025Shared CWE-918
CVE-2025-2691Shared CWE-918
CVE-2025-21385Shared CWE-918
CVE-2026-6625Shared CWE-918
CVE-2026-30118Shared CWE-918

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates SSRF by requiring validation of user-controlled URLs in post content before the plugin initiates outbound HTTP requests.

prevent

Requires timely remediation of the specific SSRF flaw in the MimeTypes Link Icons plugin up to version 3.2.20.

preventdetect

Monitors and controls outbound communications from the web server, blocking requests to arbitrary internal services via SSRF.

References