– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2026-1313 (metadata-based):
The MimeTypes Link Icons plugin for WordPress versions up to 3.2.20 contains a server-side request forgery (SSRF) vulnerability. This flaw allows authenticated users with Contributor-level permissions or higher to force the application to make arbitrary outbound HTTP requests. The vulnerability is triggered when the plugin’s ‘Show file size’ feature is active, and an attacker injects a crafted link into post content.

Atomic Edge research infers the root cause is a lack of validation on user-supplied URLs before the plugin uses them to make external HTTP requests. The CWE-918 classification confirms this pattern. The vulnerability description states the plugin makes outbound requests to user-controlled URLs. This likely occurs within a function hooked to `the_content` or a similar filter that processes links in posts. The function retrieves a remote file’s size via a method like `wp_remote_head()` or `file_get_contents()` without restricting the target URL scheme or network location.

An attacker exploits this by creating or editing a post with a malicious link. The link’s `href` attribute would point to an internal service or restricted URL, such as `http://169.254.169.254/latest/meta-data/` for AWS metadata. When the post is viewed or previewed, the plugin’s ‘Show file size’ functionality attempts to fetch the linked file’s size, sending the request from the web server. This bypasses normal network boundaries. The attack requires the ‘Contributor’ role, which can create and edit unpublished posts.

Remediation requires implementing strict validation and sanitization on any URL used for outbound requests. The fix should validate the URL scheme, restrict requests to public internet resources, and block access to private IP ranges and localhost. A network-level allowlist for permitted domains or a user-configurable list of allowed hosts would be effective. The plugin must also enforce proper capability checks, though the description confirms the attacker requires Contributor access, which is already a non-trivial privilege.

Successful exploitation enables attackers to probe and interact with internal services unreachable from the external network. This can lead to sensitive information disclosure from cloud metadata services, internal APIs, or file systems. Attackers could also leverage the vulnerable server as a proxy to attack other internal systems, potentially leading to lateral movement. The CVSS vector scores the impact with high Confidentiality, Integrity, and Availability impacts due to the scope change (S:C), reflecting the risk to backend systems.