CVE-2026-1313 - Vulnerability Analysis
HighCVSS: 8.3Last Updated: March 21, 2026
WordPress MimeTypes Link Icons - Server-Side Request Forgery
Published: March 21, 2026Updated: March 21, 2026Remote Exploitable
Overview
WordPress MimeTypes Link Icons plugin <= 3.2.20 contains a server-side request forgery caused by outbound HTTP requests to user-controlled URLs without validation when "Show file size" is enabled, letting authenticated contributors and above make arbitrary web requests originating from the application.
Severity & Score
Severity: High
CVSS Score: 8.3
Impact
Authenticated attackers can make arbitrary web requests from the server, potentially accessing or modifying internal services.
Mitigation
Update to the latest version beyond 3.2.20.
References
- https://plugins.trac.wordpress.org/browser/mimetypes-link-icons/tags/3.2.20/mime_type_link_images.php#L1612
- https://plugins.trac.wordpress.org/browser/mimetypes-link-icons/tags/3.2.20/mime_type_link_images.php#L1666
- https://www.wordfence.com/threat-intel/vulnerabilities/id/7b035d17-303b-4a8b-a15e-615df6b605d1?source=cve
Related Resources
Details
- CVE ID
- CVE-2026-1313
- Severity
- High
- CVSS Score
- 8.3
- Type
- server_side_request_forgery
- Status
- new
CWE
- CWE-918
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L