Skip to main content

Getty Images EUVDEUVD-2026-20281

| CVE-2026-39630 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-04-08 Patchstack
6.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Apr 14, 2026 - 15:26 vuln.today
CVSS changed
Apr 14, 2026 - 15:22 NVD
6.4 (MEDIUM)
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20281
CVE Published
Apr 08, 2026 - 08:30 nvd
N/A

DescriptionCVE.org

Server-Side Request Forgery (SSRF) vulnerability in Getty Images Getty Images getty-images allows Server Side Request Forgery.This issue affects Getty Images: from n/a through <= 4.1.0.

AnalysisAI

Server-Side Request Forgery (SSRF) in Getty Images WordPress plugin through version 4.1.0 allows authenticated attackers to make arbitrary HTTP requests from the server, potentially accessing internal services or metadata endpoints. The vulnerability requires valid WordPress user credentials and affects the plugin across all versions up to 4.1.0. This has a moderate real-world risk profile with low EPSS exploitation probability (0.02%) despite moderate CVSS impact, suggesting limited practical weaponization despite theoretical exploitability.

Technical ContextAI

Server-Side Request Forgery (CWE-918) vulnerabilities occur when an application fetches remote resources without proper validation of the target URL. In the Getty Images WordPress plugin, the SSRF flaw allows authenticated users to specify arbitrary URLs that the server will fetch, bypassing client-side restrictions. This class of vulnerability is dangerous in cloud environments where servers can reach internal APIs, metadata services (like AWS EC2 instance metadata endpoints), or other backend infrastructure not directly accessible from the Internet. The plugin's interaction with Getty Images' remote image service appears to lack URL validation or allowlisting, enabling an attacker with valid WordPress credentials to redirect these fetch operations toward unintended targets.

RemediationAI

Upgrade the Getty Images plugin to a version newer than 4.1.0 immediately. Patch availability and specific fixed version numbers have not been independently confirmed from the provided references; consult the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/getty-images/vulnerability/wordpress-getty-images-plugin-4-1-0-server-side-request-forgery-ssrf-vulnerability for the latest patched release. As an interim workaround, restrict the Getty Images plugin's user access to only trusted administrators and monitor outbound HTTP requests from the server for suspicious destinations. Additionally, implement URL allowlisting or validation at the application layer to restrict the plugin's fetch operations to only legitimate Getty Images API endpoints.

Share

EUVD-2026-20281 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy