Refine your search
1 vulnerability found for All In One Image Viewer Block – Gutenberg block to create image viewer with hyperlink by bplugins
CVE-2026-1294 (GCVE-0-2026-1294)
Vulnerability from cvelistv5
Published
2026-02-05 09:13
Modified
2026-04-08 17:02
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Summary
The All In One Image Viewer Block plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0.2 due to missing authorization and URL validation on the image-proxy REST API endpoint. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| bplugins | All In One Image Viewer Block – Gutenberg block to create image viewer with hyperlink |
Version: 0 ≤ 1.0.2 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1294",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-05T14:35:23.517383Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-05T14:35:50.072Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "All In One Image Viewer Block \u2013 Gutenberg block to create image viewer with hyperlink",
"vendor": "bplugins",
"versions": [
{
"lessThanOrEqual": "1.0.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Athiwat Tiprasaharn"
},
{
"lang": "en",
"type": "finder",
"value": "Itthidej Aramsri"
},
{
"lang": "en",
"type": "finder",
"value": "Varakorn Chanthasri"
},
{
"lang": "en",
"type": "finder",
"value": "Sopon Tangpathum (SoNaJaa)"
}
],
"descriptions": [
{
"lang": "en",
"value": "The All In One Image Viewer Block plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0.2 due to missing authorization and URL validation on the image-proxy REST API endpoint. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:02:39.612Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7c3f7108-eb32-425a-a705-4f032e7da6b0?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/image-viewer/tags/1.0.2/image-viewer-block.php#L10"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3449642/image-viewer/tags/1.0.3/image-viewer-block.php?old=3405983\u0026old_path=image-viewer%2Ftags%2F1.0.2%2Fimage-viewer-block.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-21T17:26:06.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-02-04T20:41:56.000Z",
"value": "Disclosed"
}
],
"title": "All In One Image Viewer Block \u003c= 1.0.2 - Unauthenticated Server-Side Request Forgery via image-proxy Endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1294",
"datePublished": "2026-02-05T09:13:45.563Z",
"dateReserved": "2026-01-21T17:10:18.154Z",
"dateUpdated": "2026-04-08T17:02:39.612Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}