Description
Server-Side Request Forgery (SSRF) vulnerability in minnur External Media external-media allows Server Side Request Forgery.This issue affects External Media: from n/a through <= 1.0.36.
Published: 2026-01-07
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Server Side Request Forgery discovered in minnur External Media plugin for WordPress allows an attacker to trick the server into making HTTP requests to arbitrary URLs. The flaw is found in plugin versions up to 1.0.36, and it can cause attackers to access internal services, exfiltrate data, or perform actions on behalf of the server. The underlying weakness is a lack of proper input validation for remote URLs, categorized as CWE‑918.

Affected Systems

WordPress sites running the External Media plugin from any installation of minnur up to and including version 1.0.36 are impacted. No specific WordPress core version restrictions are indicated, so all WordPress installations with the affected plugin are potentially vulnerable.

Risk and Exploitability

The CVSS v3.1 score of 4.9 indicates moderate severity, and the EPSS score of less than 1% suggests a low probability of widespread exploitation at present. The vulnerability is not listed in the CISA KEV database, meaning no active exploit has been reported. Nevertheless, the attack could be executed remotely through the plugin’s interface, so site administrators should treat it as a legitimate risk, especially if the plugin is used in production environments with access to sensitive internal networks.

Generated by OpenCVE AI on April 30, 2026 at 04:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the External Media plugin to a version newer than 1.0.36 once it becomes available, or uninstall it if not needed.
  • If an immediate upgrade is not possible, restrict the plugin’s network access by configuring the web server firewall to block outbound requests to internal or untrusted networks.
  • Review and disable any usage of the plugin on sites that are not exposed to public traffic to minimize attack surface.

Generated by OpenCVE AI on April 30, 2026 at 04:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Server-Side Request Forgery (SSRF) vulnerability in minnur External Media allows Server Side Request Forgery.This issue affects External Media: from n/a through 1.0.36. Server-Side Request Forgery (SSRF) vulnerability in minnur External Media external-media allows Server Side Request Forgery.This issue affects External Media: from n/a through <= 1.0.36.
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Thu, 08 Jan 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 07 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 07 Jan 2026 14:30:00 +0000

Type Values Removed Values Added
Description Server-Side Request Forgery (SSRF) vulnerability in minnur External Media allows Server Side Request Forgery.This issue affects External Media: from n/a through 1.0.36.
Title WordPress External Media plugin <= 1.0.36 - Server Side Request Forgery (SSRF) vulnerability
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-12T01:07:58.958Z

Reserved: 2025-06-04T09:42:27.085Z

Link: CVE-2025-49335

cve-icon Vulnrichment

Updated: 2026-01-07T14:36:31.161Z

cve-icon NVD

Status : Deferred

Published: 2026-01-07T15:15:45.573

Modified: 2026-04-23T15:31:29.343

Link: CVE-2025-49335

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T04:30:27Z

Weaknesses