CVE-2026-1356 in Converter for Media Plugin
Summary
by MITRE • 02/12/2026
The Converter for Media – Optimize images | Convert WebP & AVIF plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.5.1 via the PassthruLoader::load_image_source function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 02/13/2026
The vulnerability identified as CVE-2026-1356 affects the Converter for Media plugin for WordPress, specifically targeting versions up to and including 6.5.1. This plugin specializes in optimizing images and converting between various formats including WebP and AVIF, making it a commonly used tool for WordPress website performance enhancement. The vulnerability manifests within the PassthruLoader::load_image_source function, which serves as a critical component in the plugin's image processing workflow. The flaw represents a significant security weakness that undermines the integrity of the WordPress ecosystem by enabling unauthorized access to internal network resources through the web application's backend.
The technical implementation of this vulnerability stems from insufficient input validation and sanitization within the plugin's image loading mechanism. When the PassthruLoader::load_image_source function processes image requests, it fails to properly validate external URLs or file paths that are passed to it. This allows attackers to inject malicious URLs that can trigger server-side requests to internal services that the web application can access. The vulnerability is classified as Server-Side Request Forgery (SSRF) under CWE-918, which specifically addresses situations where applications make unintended requests to internal services due to inadequate validation of user-supplied input. The attack vector is particularly dangerous because it operates without requiring authentication, making it accessible to any attacker with knowledge of the vulnerable plugin's functionality.
The operational impact of this vulnerability extends beyond simple data exfiltration, as it provides attackers with the capability to probe internal network services and potentially access sensitive information or systems that should remain isolated from external access. Unauthenticated attackers can leverage this vulnerability to perform reconnaissance activities against internal services that the web server can reach, including but not limited to database servers, administrative interfaces, or other internal APIs. The compromised WordPress installation becomes a potential pivot point for further attacks, enabling threat actors to map internal network topology and identify additional targets for exploitation. This vulnerability directly aligns with ATT&CK technique T1018, which covers Valid Accounts and Discovery, as it allows adversaries to gather information about internal systems through the compromised web application.
Mitigation strategies for this vulnerability require immediate action to address the root cause within the plugin's codebase. The primary solution involves implementing strict input validation and sanitization within the PassthruLoader::load_image_source function, ensuring that all external URLs are properly validated against a whitelist of acceptable domains or protocols. The plugin developers should implement proper URL parsing and verification mechanisms that prevent the processing of malicious or internal network addresses. Organizations should also consider implementing network-level firewalls or security groups that restrict outbound connections from web servers to internal services, creating additional layers of defense. Additionally, regular security audits and penetration testing should be conducted to identify similar vulnerabilities in other installed plugins and themes. The vulnerability demonstrates the critical importance of validating all external inputs and implementing principle of least privilege for web applications, particularly those with access to internal network resources.