CVE-2026-1294 in All In One Image Viewer Block Plugin
Summary
by MITRE • 02/05/2026
The All In One Image Viewer Block plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0.2 due to missing authorization and URL validation on the image-proxy REST API endpoint. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 02/06/2026
The All In One Image Viewer Block plugin for WordPress presents a critical server-side request forgery vulnerability that affects all versions up to and including 1.0.2. This security flaw resides within the plugin's image-proxy REST API endpoint which lacks proper authorization checks and URL validation mechanisms. The vulnerability stems from the plugin's failure to implement adequate input sanitization and access control measures, creating an attack vector that allows malicious actors to exploit the WordPress installation's network connectivity. The issue manifests when the plugin processes image proxy requests without verifying the legitimacy of destination URLs or ensuring that only authorized users can initiate such requests through the REST API interface.
The technical implementation of this vulnerability enables unauthenticated attackers to leverage the WordPress web server as a proxy for making HTTP requests to arbitrary internal or external endpoints. When the REST API endpoint processes maliciously crafted requests, it blindly forwards these requests through the WordPress application server without proper validation of the target destinations. This behavior creates a pathway for attackers to potentially access internal network services that would normally be protected by firewalls or network segmentation. The vulnerability's impact extends beyond simple information disclosure as it can facilitate further attacks including internal service enumeration, data exfiltration, and potential lateral movement within compromised networks. The lack of proper URL validation means that attackers can construct requests that target internal systems using protocols like http, https, ftp, or other network protocols that the WordPress server can access.
The operational consequences of this vulnerability are severe and multifaceted for WordPress administrators and security teams. Attackers can utilize this flaw to probe internal network infrastructure, potentially discovering sensitive services running on internal ports that should remain hidden from external access. The vulnerability can be exploited to perform reconnaissance activities against internal systems, including attempting to access internal APIs, database endpoints, or other services that may contain sensitive information. Additionally, the ability to make arbitrary web requests from the WordPress server can enable attackers to perform more sophisticated attacks such as attempting to exploit other vulnerabilities in internal services or using the compromised WordPress instance as a launching point for further attacks. This represents a significant risk to organizations that rely on WordPress installations in environments where internal network segmentation is expected to provide security boundaries.
Security mitigations for this vulnerability should focus on immediate remediation through plugin updates to versions that address the authorization and validation gaps. Organizations should implement network-level controls including firewall rules that restrict outbound connections from WordPress servers to prevent potential exploitation of the SSRF vulnerability. The implementation of proper input validation and authorization checks within the REST API endpoint is essential to prevent unauthenticated access to the image proxy functionality. Additionally, monitoring and logging of REST API endpoint access should be enhanced to detect suspicious activities that may indicate exploitation attempts. From a defensive perspective, this vulnerability aligns with CWE-918 which specifically addresses server-side request forgery conditions, and maps to ATT&CK technique T1071.004 for application layer protocol tunneling. Organizations should also consider implementing web application firewalls to detect and block malicious requests targeting the vulnerable REST API endpoint, while maintaining regular security assessments to identify similar vulnerabilities in other WordPress plugins or custom code implementations.