Description
Server-Side Request Forgery (SSRF) vulnerability in wbolt.com IMGspider imgspider allows Server Side Request Forgery.This issue affects IMGspider: from n/a through <= 2.3.12.
Published: 2026-01-22
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Server Side Request Forgery
Action: Apply Patch
AI Analysis

Impact

The IMGspider plugin for WordPress contains a server‑side request forgery flaw that permits an attacker to cause the web server to issue requests to arbitrary URLs. The description notes this vulnerability, but does not detail the exact mechanisms or resulting impacts beyond the SSRF indicator. Based on typical SSRF behavior, the attacker could influence outbound traffic, though the specific consequences are not enumerated in the data.

Affected Systems

The flaw affects the IMGspider plugin from wbolt.com, all releases from the earliest version through version 2.3.12. Any WordPress installation that has a vulnerable instance of this plugin is at risk.

Risk and Exploitability

The CVSS base score of 9.1 classifies this as a critical vulnerability. The EPSS score indicates the exploitation probability is below 1%. The CVE data does not mention public exploits, so it is unclear whether any exist, and it is not listed in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector involves a remote actor sending a specially crafted request to the plugin's endpoint, which then performs an HTTP/HTTPS request to whatever URL the attacker controls. This inference comes from the typical nature of SSRF defects.

Generated by OpenCVE AI on April 18, 2026 at 15:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the IMGspider plugin to a version newer than 2.3.12.
  • If a newer release is not available, temporarily deactivate or uninstall the plugin to eliminate the vulnerable functionality.
  • Restrict outbound HTTP/HTTPS traffic from the WordPress site using firewall rules or network segmentation to limit potential misuse of the flaw.

Generated by OpenCVE AI on April 18, 2026 at 15:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 26 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 26 Jan 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Wbolt
Wbolt imgspider
Wordpress
Wordpress wordpress
Vendors & Products Wbolt
Wbolt imgspider
Wordpress
Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Server-Side Request Forgery (SSRF) vulnerability in wbolt.com IMGspider imgspider allows Server Side Request Forgery.This issue affects IMGspider: from n/a through <= 2.3.12.
Title WordPress IMGspider plugin <= 2.3.12 - Server Side Request Forgery (SSRF) vulnerability
Weaknesses CWE-918
References

Subscriptions

Wbolt Imgspider
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:14:00.175Z

Reserved: 2026-01-07T13:44:16.751Z

Link: CVE-2026-22482

cve-icon Vulnrichment

Updated: 2026-01-23T16:49:18.835Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:16:36.140

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-22482

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T15:30:03Z

Weaknesses