What the vulnerability does
01Description
The MimeTypes Link Icons plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.2.20. This is due to the plugin making outbound HTTP requests to user-controlled URLs without proper validation when the "Show file size" option is enabled. This makes it possible for authenticated attackers, with Contributor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services via crafted links in post content.
Explanation of Vulnerability in Simple Terms
02Summary
MimeTypes Link Icons versions 3.2.20 and earlier contain a server-side request forgery vulnerability. An attacker can make the affected component send HTTP requests to internal or external systems on the server's behalf. No authentication or user interaction is required. The vulnerability can lead to information disclosure, data modification, or service disruption depending on what systems are reachable from the server.
What an attacker can do
03Attacker Capabilities
Make the server send requests to internal systems or external URLs to read data, modify resources, or disrupt services.
Potential impact on your site
04Site Impact
Attackers can access internal services, exfiltrate data, or cause denial of service without needing to log in.
Conditions required to exploit
05Prerequisites
Network access to the vulnerable component; no authentication required.
Key dates
06Disclosure timeline
March 21, 2026
CVE published
April 8, 2026
Record updated
