Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
Server-Side Request Forgery (SSRF) vulnerability in Getty Images Getty Images getty-images allows Server Side Request Forgery.This issue affects Getty Images: from n/a through <= 4.1.0.
AnalysisAI
Server-Side Request Forgery (SSRF) in Getty Images WordPress plugin through version 4.1.0 allows authenticated attackers to make arbitrary HTTP requests from the server, potentially accessing internal services or metadata endpoints. The vulnerability requires valid WordPress user credentials and affects the plugin across all versions up to 4.1.0. This has a moderate real-world risk profile with low EPSS exploitation probability (0.02%) despite moderate CVSS impact, suggesting limited practical weaponization despite theoretical exploitability.
Technical ContextAI
Server-Side Request Forgery (CWE-918) vulnerabilities occur when an application fetches remote resources without proper validation of the target URL. In the Getty Images WordPress plugin, the SSRF flaw allows authenticated users to specify arbitrary URLs that the server will fetch, bypassing client-side restrictions. This class of vulnerability is dangerous in cloud environments where servers can reach internal APIs, metadata services (like AWS EC2 instance metadata endpoints), or other backend infrastructure not directly accessible from the Internet. The plugin's interaction with Getty Images' remote image service appears to lack URL validation or allowlisting, enabling an attacker with valid WordPress credentials to redirect these fetch operations toward unintended targets.
RemediationAI
Upgrade the Getty Images plugin to a version newer than 4.1.0 immediately. Patch availability and specific fixed version numbers have not been independently confirmed from the provided references; consult the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/getty-images/vulnerability/wordpress-getty-images-plugin-4-1-0-server-side-request-forgery-ssrf-vulnerability for the latest patched release. As an interim workaround, restrict the Getty Images plugin's user access to only trusted administrators and monitor outbound HTTP requests from the server for suspicious destinations. Additionally, implement URL allowlisting or validation at the application layer to restrict the plugin's fetch operations to only legitimate Getty Images API endpoints.
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20281