CVE-2026-1356
📋 TL;DR
This Server-Side Request Forgery (SSRF) vulnerability in the Converter for Media WordPress plugin allows unauthenticated attackers to make arbitrary web requests from the vulnerable server. Attackers can query and potentially modify internal services that shouldn't be accessible from the internet. All WordPress sites using this plugin up to version 6.5.1 are affected.
💻 Affected Systems
- Converter for Media – Optimize images | Convert WebP & AVIF WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could access internal services like databases, cloud metadata endpoints, or administrative interfaces, potentially leading to data exfiltration, privilege escalation, or lateral movement within internal networks.
Likely Case
Attackers scanning internal networks, accessing internal APIs, or exploiting other vulnerabilities in internal services that aren't internet-facing.
If Mitigated
Limited to port scanning internal networks or accessing services with proper authentication requirements.
🎯 Exploit Status
SSRF vulnerabilities are commonly exploited and this requires no authentication, making exploitation straightforward.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.5.2 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3445904/webp-converter-for-media
Restart Required: No
Instructions:
1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find 'Converter for Media – Optimize images | Convert WebP & AVIF'
4. Click 'Update Now' if available
5. Or download version 6.5.2+ from WordPress repository and upload manually
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily disable the Converter for Media plugin until patched
wp plugin deactivate webp-converter-for-media
Network segmentation
allRestrict outbound HTTP/HTTPS requests from web servers to internal networks
🧯 If You Can't Patch
- Implement web application firewall rules to block SSRF patterns
- Deploy network controls to restrict web server outbound connections to internal networks
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Installed Plugins for 'Converter for Media' versionCheck Version:
wp plugin get webp-converter-for-media --field=versionVerify Fix Applied:
Verify plugin version is 6.5.2 or higher in WordPress admin📡 Detection & Monitoring
Log Indicators:
- Unusual outbound HTTP requests from web server to internal IPs
- Requests to metadata endpoints (169.254.169.254, 100.100.100.200)
- Multiple failed connection attempts to various internal ports
Network Indicators:
- Web server making unexpected HTTP requests to internal network ranges
- Traffic from web server to cloud metadata services
SIEM Query:
source="web_server_logs" AND (dest_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.169.254) OR uri CONTAINS "load_image_source")