Description
The MimeTypes Link Icons plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.2.20. This is due to the plugin making outbound HTTP requests to user-controlled URLs without proper validation when the "Show file size" option is enabled. This makes it possible for authenticated attackers, with Contributor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services via crafted links in post content.
Published: 2026-03-21
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery enabling internal resource access
Action: Patch Now
AI Analysis

Impact

The MimeTypes Link Icons plugin for WordPress processes user‑controlled URLs when the "Show file size" setting is enabled, issuing outbound HTTP requests without proper validation. This flaw creates a Server‑Side Request Forgery vulnerability that allows authenticated users with Contributor level or higher to request arbitrary internal or external resources from the application’s host. The ability to craft links embedded in post content means an attacker could retrieve sensitive data or alter internal services, though direct code execution is not possible.

Affected Systems

WordPress sites running the eagerterrier MimeTypes Link Icons plugin, in any version up to and including 3.2.20, are affected. The vulnerability applies regardless of the WordPress core version and requires only that a user with Contributor permissions or greater composes malicious post content.

Risk and Exploitability

The CVSS score of 8.3 indicates high severity; there is no EPSS score available and the issue is not listed in CISA’s KEV catalog. Exploitation requires authenticated access and the "Show file size" option to be enabled. An attacker can inject a crafted link that causes the server to request internal endpoints, potentially exfiltrating data or modifying services. The risk is therefore primarily dependent on the attacker’s privileged role and the sensitivity of the backend services accessed through SSRF.

Generated by OpenCVE AI on March 21, 2026 at 07:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Disable the "Show file size" option if you do not need to display file sizes.
  • Update the MimeTypes Link Icons plugin to the latest available release, removing the vulnerability.
  • If an update is not yet available, consider removing the plugin or limiting Contributor roles to trusted users only.
  • Monitor server logs for unexpected outbound HTTP requests to detect potential exploitation attempts.

Generated by OpenCVE AI on March 21, 2026 at 07:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Eagerterrier
Eagerterrier mimetypes Link Icons
Wordpress
Wordpress wordpress
Vendors & Products Eagerterrier
Eagerterrier mimetypes Link Icons
Wordpress
Wordpress wordpress

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Description The MimeTypes Link Icons plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.2.20. This is due to the plugin making outbound HTTP requests to user-controlled URLs without proper validation when the "Show file size" option is enabled. This makes it possible for authenticated attackers, with Contributor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services via crafted links in post content.
Title MimeTypes Link Icons <= 3.2.20 - Authenticated (Contributor+) Server-Side Request Forgery via Crafted Links in Post Content
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L'}

Subscriptions

Eagerterrier Mimetypes Link Icons
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:02:26.430Z

Reserved: 2026-01-21T20:56:50.859Z

Link: CVE-2026-1313

cve-icon Vulnrichment

Updated: 2026-03-23T15:17:53.633Z

cve-icon NVD

Status : Deferred

Published: 2026-03-21T04:16:52.630

Modified: 2026-04-22T21:32:08.360

Link: CVE-2026-1313

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:42:01Z

Weaknesses