Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Network-reachable, low complexity, but PR:L required as some WordPress authentication is needed; S:C reflects SSRF reaching systems beyond the vulnerable plugin.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Server-Side Request Forgery (SSRF) vulnerability in bdthemes Instant Image Generator ai-image allows Server Side Request Forgery.This issue affects Instant Image Generator: from n/a through <= 2.1.4.
AnalysisAI
Server-Side Request Forgery in bdthemes Instant Image Generator (WordPress plugin ai-image) through version 2.1.4 allows low-privileged authenticated users to coerce the WordPress server into issuing HTTP requests to arbitrary destinations. The scope-changed CVSS vector (S:C) confirms the server can be directed at internal infrastructure beyond the WordPress installation itself, enabling internal network probing or cloud metadata endpoint access. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated WordPress session with at least low-privilege access (PR:L per CVSS vector) - any registered user role capable of accessing the plugin's image generation feature is sufficient. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 6.4 (Medium) reflects network reachability (AV:N), low complexity (AC:L), and low privilege requirement (PR:L), with no user interaction needed (UI:N) and a scope change (S:C) indicating lateral reach into backend systems. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with any authenticated WordPress account (e.g., subscriber) submits a crafted image generation request with a URL pointing to the EC2 instance metadata endpoint (http://169.254.169.254/latest/meta-data/iam/security-credentials/) or an internal service. The server-side PHP code fetches the target URL and may return or log the response, exposing cloud credentials or internal service data to the attacker. … |
| Remediation | Update the Instant Image Generator plugin beyond version 2.1.4; consult the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/ai-image/vulnerability/wordpress-instant-image-generator-plugin-2-1-4-server-side-request-forgery-ssrf-vulnerability for the confirmed patched release version, which is not independently verified from available input data. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43485