CVE-2026-1313 - Vulnerability Analysis

Overview

WordPress MimeTypes Link Icons plugin <= 3.2.20 contains a server-side request forgery caused by outbound HTTP requests to user-controlled URLs without validation when "Show file size" is enabled, letting authenticated contributors and above make arbitrary web requests originating from the application.

Severity & Score

Impact

Authenticated attackers can make arbitrary web requests from the server, potentially accessing or modifying internal services.

Mitigation

Update to the latest version beyond 3.2.20.

References

• https://www.wordfence.com/threat-intel/vulnerabilities/id/7b035d17-303b-4a8b-a15e-615df6b605d1?source=cve
• https://plugins.trac.wordpress.org/browser/mimetypes-link-icons/tags/3.2.20/mime_type_link_images.php#L1612
• https://plugins.trac.wordpress.org/browser/mimetypes-link-icons/tags/3.2.20/mime_type_link_images.php#L1666

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 21, 2026

🟠 CVE-2026-1313 - High (8.3) The MimeTypes Link Icons plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.2.20. This is due to the plugin making outbound HTTP requests to user-controlled URLs without proper validation when... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-1313/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

• Vulnerability Intelligence Dashboard
• Credential Scanner