WordPress Plugin Vulnerabilities

Converter for Media – Optimize images < 6.5.2 - Unauthenticated SSRF

Description

The plugin is vulnerable to Server-Side Request Forgery via the PassthruLoader::load_image_source function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

Affects Plugins

Plugin icon
webp-converter-for-media
Fixed in 6.5.2

References

CVE
CVE-2026-1356
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/188d812c-2955-4b0c-ae1c-b42c0f60b73b

Classification

Type
SSRF
OWASP top 10
A1: Injection
CWE
CWE-918
CVSS
4.8 (medium)

Miscellaneous

Original Researcher
Lucas Montes (NiRoX)
Verified
No
WPVDB ID
4b7a46cd-1438-4814-97e1-9d128878d36f

Timeline

Publicly Published
2026-02-11 (about 3 months ago)
Added
2026-02-12 (about 3 months ago)
Last Updated
2026-02-12 (about 3 months ago)

Other

Published
Title
Published
2025-01-13
Title
W3 Total Cache < 2.8.2 - Subscriber+ Server-Side Request Forgery
Published
2026-05-04
Title
Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem < 3.6.0 - Authenticated (Contributor+) Server-Side Request Forgery via 'imageUrl'
Published
2025-03-24
Title
WP Compress < 6.30.16 - Unauthenticated Server-Side Request Forgery via init Function
Published
2025-03-21
Title
Make Builder < 1.1.11 - Authenticated (Subscriber+) Server-Side Request Forgery via make_builder_ajax_subscribe Function
Published
2021-03-23
Title
Mapplic and Mapplic Lite - SSRF to Stored Cross-Site Scripting (XSS)