Plataforma
wordpress
Componente
image-viewer
Corregido en
1.0.3
CVE-2026-1294 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in the All In One Image Viewer Block plugin for WordPress. This flaw allows unauthenticated attackers to initiate web requests from the plugin, potentially accessing internal services and sensitive data. The vulnerability impacts versions 1.0.0 through 1.0.2 and has been resolved in version 1.0.3.
The SSRF vulnerability in All In One Image Viewer Block allows attackers to bypass security controls and make requests to internal resources that are normally inaccessible from the outside. An attacker could potentially query internal APIs, access configuration files, or even interact with other services running on the same network as the WordPress server. This could lead to data breaches, privilege escalation, or further compromise of the system. The lack of authorization and URL validation on the image-proxy REST API endpoint makes this exploitation straightforward.
CVE-2026-1294 was publicly disclosed on 2026-02-05. No public proof-of-concept exploits are currently known, but the SSRF nature of the vulnerability makes it likely that exploits will emerge. The EPSS score is likely medium, given the ease of exploitation and potential impact. It is not currently listed on the CISA KEV catalog.
WordPress sites using the All In One Image Viewer Block plugin, particularly those with internal services accessible from the web server, are at risk. Shared hosting environments where users have limited control over installed plugins are also particularly vulnerable.
• wordpress / composer / npm:
wp plugin list | grep "All In One Image Viewer Block"• generic web:
curl -I https://your-wordpress-site.com/wp-json/aio-image-viewer/v1/image-proxy?url=http://internal-service | head -n 1• wordpress / composer / npm:
wp plugin update all-in-one-image-viewer-block• wordpress / composer / npm:
wp plugin status all-in-one-image-viewer-blockdisclosure
Estado del Exploit
EPSS
0.02% (5% percentil)
CISA SSVC
Vector CVSS
The primary mitigation for CVE-2026-1294 is to immediately upgrade the All In One Image Viewer Block plugin to version 1.0.3 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests to the image-proxy endpoint. Additionally, restrict network access to the WordPress server to only necessary ports and services to limit the potential blast radius of a successful SSRF attack. Review and harden any internal services that might be exposed by this vulnerability.
Actualizar a la versión 1.0.3, o una versión parcheada más reciente
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2026-1294 is a Server-Side Request Forgery vulnerability affecting the All In One Image Viewer Block WordPress plugin, allowing attackers to make unauthorized requests.
You are affected if you are using the All In One Image Viewer Block plugin versions 1.0.0 through 1.0.2.
Upgrade the All In One Image Viewer Block plugin to version 1.0.3 or later. Consider WAF rules as a temporary mitigation.
While no public exploits are currently known, the SSRF nature of the vulnerability suggests potential for exploitation.
Refer to the plugin developer's website or WordPress plugin repository for the official advisory.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.