Description
Server-Side Request Forgery (SSRF) vulnerability in Getty Images Getty Images getty-images allows Server Side Request Forgery.This issue affects Getty Images: from n/a through <= 4.1.0.
Published: 2026-04-08
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Server-side request forgery enabling attackers to force unused or malicious external requests from the affected WordPress site
Action: Immediate Patch
AI Analysis

Impact

The Getty Images WordPress plugin contains an SSRF flaw that allows an attacker to supply a custom URL that the server will resolve and fetch without proper validation. This weakness can lead to unauthorized disclosure of data, internal network reconnaissance, or interaction with internal services, depending on the target URLs accessed. The vulnerability is identified as CWE‑918 and is documented as existing in all releases up to and including version 4.1.0.

Affected Systems

WordPress installations that use the Getty Images plugin version 4.1.0 or earlier are affected. Any site that has not upgraded beyond 4.1.0 (or migrated to a newer plugin version) remains vulnerable.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate severity, and an EPSS score of less than 1% suggests the likelihood of exploitation is low at present. The vulnerability does not appear in CISA’s KEV catalog. Attackers could exploit the flaw via a web request to the plugin’s endpoint, potentially forcing the server to contact arbitrary internal or external resources. No public exploit code is documented, but the path to exploitation is straightforward and only requires web access to the vulnerable plugin endpoint.

Generated by OpenCVE AI on April 14, 2026 at 16:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Getty Images plugin to version 4.1.1 or later and verify that the update has been applied correctly.
  • If an update cannot be performed immediately, disable the Getty Images plugin from WordPress until a patch is applied.
  • Configure the host firewall or use a dedicated outbound request limiting plugin to block the WordPress installation from making HTTP requests to internal network ranges or to untrusted destinations.
  • Monitor WordPress access logs and server logs for unusual outbound HTTP requests and investigate any anomalies promptly.

Generated by OpenCVE AI on April 14, 2026 at 16:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Getty Images
Getty Images getty Images
Wordpress
Wordpress wordpress
Vendors & Products Getty Images
Getty Images getty Images
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Server-Side Request Forgery (SSRF) vulnerability in Getty Images Getty Images getty-images allows Server Side Request Forgery.This issue affects Getty Images: from n/a through <= 4.1.0.
Title WordPress Getty Images plugin <= 4.1.0 - Server Side Request Forgery (SSRF) vulnerability
Weaknesses CWE-918
References

Subscriptions

Getty Images Getty Images
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T09:52:02.938Z

Reserved: 2026-04-07T10:57:36.651Z

Link: CVE-2026-39630

cve-icon Vulnrichment

Updated: 2026-04-14T14:39:29.098Z

cve-icon NVD

Status : Deferred

Published: 2026-04-08T09:16:33.473

Modified: 2026-04-24T18:06:24.707

Link: CVE-2026-39630

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:41:31Z

Weaknesses