A Server‑Side Request Forgery flaw exists in the Getty Images WordPress plugin for versions up to and including 4.1.0. The vulnerability allows an attacker to provoke the plugin to send HTTP requests to any target specified by the attacker. The plugin’s requests can be made to internal or external resources, potentially leaking sensitive data, accessing internal services, or serving as a foothold for further attacks. The weakness is classified as CWE‑918, a typical SSRF scenario where user input is not properly validated before being used as a request target.

The affected component is the Getty Images WordPress plugin, provided by Getty Images, for all releases from the initial version through version 4.1.0. Users running any of those versions on a WordPress site are vulnerable.

The CVSS score, EPSS probability, and KEV status are not documented for this CVE. Nonetheless, the flaw can be exploited remotely by any party that can trigger a request to the WordPress instance hosting the plugin, such as via an exposed API endpoint or a crafted link. Exploitation conditions are relatively simple: the plugin must be active and the WordPress site must be reachable, after which an attacker can supply arbitrary URLs to force outbound traffic. The impact includes potential data leakage, internal network enumeration, and possible lateral movement, making the risk significant for any site that exposes the plugin to unauthenticated users.