The vulnerability is a Server Side Request Forgery in the Auto Upload Images plugin, identified as CWE-918, allowing a remote attacker to cause the server to make arbitrary HTTP requests. This could expose internal resources, permit credential harvesting, or facilitate further exploitation. The issue could be leveraged to read or exfiltrate sensitive data, or to pivot to other systems.

WordPress sites that use the Ali Irani Auto Upload Images plugin version 3.3.2 or earlier. All releases from the initial release through 3.3.2 are impacted; newer releases beyond that version are not affected.

The CVSS base score of 4.9 reflects moderate risk; the EPSS score of less than 1% indicates a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, suggesting it has not yet become a known, actively exploited weakness. Exploitation would likely involve sending a crafted request to the plugin’s upload endpoint with a specially crafted URL that the plugin attempts to fetch, allowing the attacker to direct the server to internal or external addresses. Successful exploitation could lead to information disclosure or further lateral movement.