The vulnerability is a Server‑Side Request Forgery flaw that permits an attacker to cause the WordPress server to execute outbound HTTP or HTTPS requests on the attacker’s behalf. By manipulating the plugin’s input, an adversary could retrieve sensitive internal resources, access privileged services, or potentially exfiltrate data, which violates confidentiality and possibly integrity of the system. The weakness is classified as CWE‑918, indicating improper handling of external input in server‑side requests.

The affected vendor is Kishan and the product is the WP Link Preview WordPress plugin. All released versions up to and including 1.4.1 are vulnerable. Versions newer than 1.4.1 have not been reported to contain this flaw.

The CVSS score of 6.4 reflects moderate severity, but the EPSS score of less than 1% suggests exploitation is considered unlikely at present. The vulnerability is not listed in the CISA KEV catalog, which further reduces its current threat level. Based on the description, the likely attack vector is through external input that the plugin processes, requiring network connectivity from the compromised WordPress host. No authentication or privileged conditions are noted, implying that a publicly accessible site with the plugin installed may be sufficient.