プラットフォーム
wordpress
コンポーネント
mimetypes-link-icons
修正版
3.2.21
3.2.21
CVE-2026-1313 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in the MimeTypes Link Icons plugin for WordPress. This flaw allows authenticated attackers, possessing Contributor-level access or higher, to initiate web requests to arbitrary locations originating from the WordPress application. The vulnerability exists in versions up to and including 3.2.20, and a fix is available in version 3.3.0.
The SSRF vulnerability enables an attacker to craft malicious links within WordPress post content, triggering outbound HTTP requests to attacker-controlled URLs. Because the plugin doesn't properly validate these URLs when the "Show file size" option is enabled, an attacker can leverage this to query and potentially modify data from internal services that are accessible to the WordPress server. This could expose sensitive information, allow for unauthorized access to internal resources, or even facilitate further attacks against the underlying infrastructure. The impact is amplified if the WordPress server has access to sensitive internal systems or APIs. While requiring Contributor access, this is a common privilege level, expanding the potential attack surface.
CVE-2026-1313 was publicly disclosed on 2026-03-20. No public proof-of-concept (PoC) code has been released at the time of writing, but the SSRF nature of the vulnerability makes it likely that a PoC will emerge. It is not currently listed on the CISA KEV catalog. The vulnerability's reliance on Contributor-level access may limit its immediate exploitability in some environments.
WordPress websites utilizing the MimeTypes Link Icons plugin, particularly those with the "Show file size" option enabled and where users have Contributor-level access or higher, are at risk. Shared hosting environments where WordPress installations share resources and network access are also particularly vulnerable, as a compromised WordPress site could be used to attack other internal services.
• wordpress / composer / npm:
grep -r "wp_remote_get" /var/www/html/wp-content/plugins/mimetypes-link-icons/• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/mimetypes-link-icons/ | grep -i 'server:'• wordpress / composer / npm:
wp plugin list | grep mimetypes-link-iconsdisclosure
エクスプロイト状況
EPSS
0.05% (15% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2026-1313 is to immediately upgrade the MimeTypes Link Icons plugin to version 3.3.0 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider disabling the "Show file size" option within the plugin's settings, as this feature is the root cause of the vulnerability. As a temporary workaround, a web application firewall (WAF) or reverse proxy can be configured to block outbound requests to suspicious or unauthorized domains. Monitor WordPress access logs for unusual outbound HTTP requests originating from user-controlled content.
バージョン 3.3.0、またはそれ以降の修正バージョンにアップデートしてください
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-1313 is a Server-Side Request Forgery vulnerability in the MimeTypes Link Icons plugin for WordPress, allowing attackers with Contributor access to make outbound HTTP requests to arbitrary locations.
You are affected if you are using the MimeTypes Link Icons plugin in WordPress versions 3.2.20 or earlier, and the 'Show file size' option is enabled.
Upgrade the MimeTypes Link Icons plugin to version 3.3.0 or later. Alternatively, disable the 'Show file size' option as a temporary workaround.
While no active exploitation has been confirmed, the SSRF nature of the vulnerability makes it likely that exploitation attempts will occur.
Refer to the plugin developer's website or WordPress.org plugin page for the latest advisory and updates.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。