WordPress Image shrinker plugin version 1.1.0 or earlier is affected by a Server Side Request Forgery vulnerability. An attacker who can trigger the plugin’s image shrinking functionality can cause the server to initiate requests to arbitrary URLs. This flaw could allow data exfiltration or access to internal resources, as the request follows the server’s network configuration. The weakness is classified as CWE‑918. No indication is provided that the vulnerability grants authentication bypass or execution of arbitrary code, but it could be combined with other local or remote weaknesses to further compromise confidentiality or integrity.

All installations of the HETWORKS WordPress Image shrinker plugin up to and including version 1.1.0. Any WordPress site that has installed this plugin and has an active upload mechanism or a user who can upload or modify images is potentially impacted.

The CVSS score of 4.9 suggests moderate severity, and the EPSS score of less than 1% indicates a low probability of exploitation at the time of this analysis. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through the image upload or processing function exposed by the plugin; an attacker with access to this functionality could supply a crafted URL to trigger the SSRF. No evidence is present that additional authentication is required beyond that needed to exercise the plugin’s upload feature.