Platform
wordpress
Component
image-viewer
Fixed in
1.0.3
CVE-2026-1294 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in the All In One Image Viewer Block plugin for WordPress. This flaw allows unauthenticated attackers to initiate web requests from the plugin, potentially accessing internal services and sensitive data. The vulnerability impacts versions 1.0.0 through 1.0.2 and has been resolved in version 1.0.3.
The SSRF vulnerability in All In One Image Viewer Block allows attackers to bypass security controls and make requests to internal resources that are normally inaccessible from the outside. An attacker could potentially query internal APIs, access configuration files, or even interact with other services running on the same network as the WordPress server. This could lead to data breaches, privilege escalation, or further compromise of the system. The lack of authorization and URL validation on the image-proxy REST API endpoint makes this exploitation straightforward.
CVE-2026-1294 was publicly disclosed on 2026-02-05. No public proof-of-concept exploits are currently known, but the SSRF nature of the vulnerability makes it likely that exploits will emerge. The EPSS score is likely medium, given the ease of exploitation and potential impact. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-1294 is to immediately upgrade the All In One Image Viewer Block plugin to version 1.0.3 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests to the image-proxy endpoint. Additionally, restrict network access to the WordPress server to only necessary ports and services to limit the potential blast radius of a successful SSRF attack. Review and harden any internal services that might be exposed by this vulnerability.
Update to version 1.0.3, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-1294 is a Server-Side Request Forgery vulnerability affecting the All In One Image Viewer Block WordPress plugin, allowing attackers to make unauthorized requests.
You are affected if you are using the All In One Image Viewer Block plugin versions 1.0.0 through 1.0.2.
Upgrade the All In One Image Viewer Block plugin to version 1.0.3 or later. Consider WAF rules as a temporary mitigation.
While no public exploits are currently known, the SSRF nature of the vulnerability suggests potential for exploitation.
Refer to the plugin developer's website or WordPress plugin repository for the official advisory.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.