Description
The All In One Image Viewer Block plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0.2 due to missing authorization and URL validation on the image-proxy REST API endpoint. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Published: 2026-02-05
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery
Action: Apply Patch
AI Analysis

Impact

The All In One Image Viewer Block plugin for WordPress contains an unprotected image‑proxy REST endpoint that lacks proper authentication and URL validation. This flaw permits any user able to send HTTP requests to the site to instruct the server to retrieve data from arbitrary URLs, potentially including internal services. The vulnerability can be used to read or modify information from those services, leading to confidentiality or integrity compromise in a compromised environment.

Affected Systems

WordPress sites that use the bplugins All In One Image Viewer Block through version 1.0.2 are affected. Versions 1.0.3 and later contain a fix that adds authorization and URL validation checks.

Risk and Exploitability

The flaw has a CVSS score of 7.2, indicating a high severity for attackers who can gain server‑side request capabilities. The EPSS score of less than one percent indicates a low but non‑zero exploitation probability, and the vulnerability is not listed in CISA’s KEV catalog. Attackers can exploit the publicly exposed REST API endpoint from any location that can reach the web server, making the attack vector primarily network‑based and requiring no special privileges on the target system.

Generated by OpenCVE AI on April 15, 2026 at 18:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the All In One Image Viewer Block plugin to version 1.0.3 or later to apply the vendor‑supplied patch that implements authentication and input validation for the image‑proxy endpoint.
  • If an immediate upgrade is not possible, remove or disable the image‑proxy route by editing the plugin’s code or configuration to prevent external invocation of the endpoint.
  • Limit the outbound connections allowed from the WordPress installation by applying firewall rules or configuring a web application firewall to block requests to internal or protected services.
  • Monitor the WordPress access logs for unusual requests to the image‑proxy API and investigate any sign of Server‑Side Request Forgery activity.

Generated by OpenCVE AI on April 15, 2026 at 18:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Bplugins
Bplugins all In One Image Viewer Block – Gutenberg Block To Create Image Viewer With Hyperlink
Wordpress
Wordpress wordpress
Vendors & Products Bplugins
Bplugins all In One Image Viewer Block – Gutenberg Block To Create Image Viewer With Hyperlink
Wordpress
Wordpress wordpress

Thu, 05 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 05 Feb 2026 09:30:00 +0000

Type Values Removed Values Added
Description The All In One Image Viewer Block plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0.2 due to missing authorization and URL validation on the image-proxy REST API endpoint. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Title All In One Image Viewer Block <= 1.0.2 - Unauthenticated Server-Side Request Forgery via image-proxy Endpoint
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Bplugins All In One Image Viewer Block – Gutenberg Block To Create Image Viewer With Hyperlink
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:02:39.612Z

Reserved: 2026-01-21T17:10:18.154Z

Link: CVE-2026-1294

cve-icon Vulnrichment

Updated: 2026-02-05T14:35:29.166Z

cve-icon NVD

Status : Deferred

Published: 2026-02-05T10:16:03.643

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1294

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T19:00:12Z

Weaknesses