The vulnerability is a Server‑Side Request Forgery flaw in the WPThumb WordPress plugin that allows an attacker to trigger the server to send HTTP requests to URLs specified in the plugin’s input. The weakness is identified as CWE-918, indicating a lack of proper validation or sanitization of external URLs. The impact is limited to the ability to direct the site’s outbound traffic to chosen addresses, potentially revealing internal endpoints or abusing external resources, but the CVE description does not detail any further exploitation chaining or data disclosure.

WPThumb, a WordPress plugin built by Joe Hoyle, is affected for all available releases from its earliest published version through version 0.10 inclusive.

The CVSS score of 4.9 classifies the issue as moderate. The EPSS score of less than 1% indicates a very low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a remote web request to the publicly exposed WordPress site that invokes the plugin’s functionality; the description does not explicitly state the vector, so it is inferred from the nature of an SSRF vulnerability in a web‑based plugin. Exploitation would require the attacker to supply a URL that the plugin processes, causing the server to initiate a request to that target.