CVE-2026-1313
Published: 21 March 2026
Summary
CVE-2026-1313 is a high-severity SSRF (CWE-918) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-1313 is a Server-Side Request Forgery (SSRF) vulnerability, classified under CWE-918, affecting the MimeTypes Link Icons plugin for WordPress in all versions up to and including 3.2.20. The issue arises when the "Show file size" option is enabled, as the plugin makes outbound HTTP requests to user-controlled URLs without proper validation. This flaw has a CVSS v3.1 base score of 8.3 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L) and was published on 2026-03-21.
Authenticated attackers with Contributor-level access or higher can exploit this vulnerability by embedding crafted links in post content. These links trick the plugin into initiating web requests from the server to arbitrary locations, potentially allowing attackers to query or modify information from internal services that are not directly accessible from the internet.
Advisories and references, including the Wordfence threat intelligence page and specific code locations in the plugin's source at lines 1612 and 1666 of mime_type_link_images.php (tags/3.2.20), provide details on the vulnerable implementation but do not specify patches or mitigations in the available information. Security practitioners should review these resources for updates and consider disabling the affected plugin or the "Show file size" option until remediation is confirmed.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-14184
Vulnerability details
The MimeTypes Link Icons plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.2.20. This is due to the plugin making outbound HTTP requests to user-controlled URLs without proper validation when the "Show…
more
file size" option is enabled. This makes it possible for authenticated attackers, with Contributor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services via crafted links in post content.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF in public-facing WordPress plugin directly enables exploitation of a web application vulnerability for internal service interaction.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates SSRF by requiring validation of user-controlled URLs in post content before the plugin initiates outbound HTTP requests.
Requires timely remediation of the specific SSRF flaw in the MimeTypes Link Icons plugin up to version 3.2.20.
Monitors and controls outbound communications from the web server, blocking requests to arbitrary internal services via SSRF.