CVE-2026-1313 in MimeTypes Link Icons Plugin
Summary
by MITRE • 03/21/2026
The MimeTypes Link Icons plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.2.20. This is due to the plugin making outbound HTTP requests to user-controlled URLs without proper validation when the "Show file size" option is enabled. This makes it possible for authenticated attackers, with Contributor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services via crafted links in post content.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/27/2026
The MimeTypes Link Icons plugin for WordPress presents a critical server-side request forgery vulnerability that compromises the security posture of affected installations. This vulnerability affects all versions up to and including 3.2.20, creating a significant risk for WordPress environments that utilize this plugin. The flaw manifests when the "Show file size" feature is enabled, which triggers the plugin to perform outbound HTTP requests to URLs specified by user input. The vulnerability stems from inadequate validation of user-controlled URLs, allowing malicious actors to manipulate the plugin's behavior and potentially access internal network resources that should remain protected from external access.
The technical implementation of this vulnerability resides in the plugin's handling of user-provided URLs during file size retrieval operations. When a user with Contributor-level privileges or higher creates or modifies content containing links, the plugin processes these URLs without proper sanitization or validation. This design flaw aligns with CWE-918, which describes server-side request forgery vulnerabilities where applications fail to validate and control outbound requests to external systems. The vulnerability enables authenticated attackers to leverage the web application's network privileges to make requests to internal services, potentially exposing sensitive data or system information that would normally be restricted to internal network access.
The operational impact of this vulnerability extends beyond simple information disclosure, as it provides attackers with the capability to interact with internal services that may be protected by network segmentation or firewall rules. An attacker with Contributor access can craft malicious links within post content that, when processed by the vulnerable plugin, can result in requests being made to internal systems such as database servers, administrative interfaces, or other sensitive services. This capability directly maps to ATT&CK technique T1071.004, which involves application layer protocol manipulation, and T1046, which covers network service scanning. The vulnerability essentially allows attackers to use the compromised WordPress installation as a pivot point for further reconnaissance and exploitation of internal network resources.
Mitigation strategies for this vulnerability should focus on immediate plugin updates to versions that address the SSRF flaw, as well as implementing network-level controls to restrict outbound requests from the web application. Administrators should disable the "Show file size" feature if it is not essential for operations, as this removes the attack vector entirely. Network segmentation and firewall rules should be implemented to prevent the web application from accessing internal services directly, while also monitoring outbound traffic for suspicious patterns. Additionally, implementing input validation and sanitization measures at multiple layers can provide defense-in-depth protection against similar vulnerabilities. The recommended approach includes conducting thorough security assessments of all installed plugins and maintaining up-to-date security patches to prevent exploitation of known vulnerabilities in the WordPress ecosystem.