CVE-2026-1294 – The All In One Image Viewer Block WordPress plu... (How to Fix)

Q: What is the severity of CVE-2026-1294?

CVE-2026-1294 has a CVSS score of 7.2 (HIGH). The All In One Image Viewer Block WordPress plugin has a Server-Side Request Forgery (SSRF) vulnerability that allows unauthenticated attackers to make arbitrary web requests from the vulnerable server. This can be used to query internal services, potentially exposing sensitive information or enabling further attacks. All WordPress sites using this plugin up to version 1.0.2 are affected.

📋 TL;DR

The All In One Image Viewer Block WordPress plugin has a Server-Side Request Forgery (SSRF) vulnerability that allows unauthenticated attackers to make arbitrary web requests from the vulnerable server. This can be used to query internal services, potentially exposing sensitive information or enabling further attacks. All WordPress sites using this plugin up to version 1.0.2 are affected.

💻 Affected Systems

Products:

All In One Image Viewer Block WordPress plugin

Versions: All versions up to and including 1.0.2

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Any WordPress site with this plugin installed and activated is vulnerable.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could access internal services, steal sensitive data, pivot to internal networks, or perform actions on behalf of the server.

🟠

Likely Case

Information disclosure from internal services, reconnaissance of internal network, or limited data exfiltration.

🟢

If Mitigated

Limited impact if network segmentation prevents access to sensitive internal services.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SSRF vulnerabilities are commonly exploited and require minimal technical skill.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.0.3

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3449642/image-viewer/tags/1.0.3/image-viewer-block.php

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'All In One Image Viewer Block'. 4. Click 'Update Now' if available, or manually update to version 1.0.3. 5. Verify the plugin is updated to 1.0.3 or later.

🔧 Temporary Workarounds

Disable the vulnerable plugin

all

Temporarily deactivate the All In One Image Viewer Block plugin until patched.

wp plugin deactivate image-viewer

Restrict access to image-proxy endpoint

linux

Use web application firewall or .htaccess to block access to the vulnerable REST API endpoint.

# Add to .htaccess:
RewriteCond %{REQUEST_URI} ^/wp-json/image-viewer/v1/image-proxy
RewriteRule .* - [F]

🧯 If You Can't Patch

Disable the plugin immediately
Implement network segmentation to isolate the WordPress server from internal services

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Installed Plugins for 'All In One Image Viewer Block' version 1.0.2 or earlier.

Check Version:

wp plugin get image-viewer --field=version

Verify Fix Applied:

Confirm plugin version is 1.0.3 or later in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual requests to /wp-json/image-viewer/v1/image-proxy endpoint
Outbound requests from WordPress server to internal IP addresses

Network Indicators:

HTTP requests from WordPress server to internal services on unusual ports
Traffic patterns suggesting internal network scanning

SIEM Query:

source="wordpress.log" AND uri="/wp-json/image-viewer/v1/image-proxy"

📊 Metadata

CVE ID: CVE-2026-1294

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CWE: CWE-918

Published: February 5, 2026

Last Updated: February 5, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-1294, you might also want to check these: