📄 Description (English)
The All In One Image Viewer Block plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0.2 due to missing authorization and URL validation on the image-proxy REST API endpoint. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
🤖 AI Executive Summary
The All In One Image Viewer Block WordPress plugin (versions ≤1.0.2) contains a critical Server-Side Request Forgery (SSRF) vulnerability in its REST API endpoint that allows unauthenticated attackers to make arbitrary web requests from the affected server. This vulnerability enables attackers to access internal services, query sensitive data, and potentially modify information without authentication. The lack of URL validation and authorization controls makes this a high-risk vulnerability requiring immediate patching across all affected WordPress installations.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 9, 2026 03:34
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations using WordPress with the All In One Image Viewer Block plugin face significant risk, particularly in the banking sector (SAMA-regulated institutions), government agencies (NCA oversight), healthcare providers, and e-commerce platforms. The SSRF vulnerability could enable attackers to access internal banking systems, government databases, healthcare records, and payment processing systems. Energy sector organizations (ARAMCO, utilities) and telecommunications providers (STC, Mobily) running WordPress-based portals are also at risk. The vulnerability's unauthenticated nature makes it particularly dangerous for organizations with internet-facing WordPress installations, potentially allowing lateral movement to internal networks and access to sensitive data stored on internal services.
🏢 Affected Saudi Sectors
Banking and Financial Services
Government and Public Administration
Healthcare and Medical Services
Energy and Utilities
Telecommunications
E-commerce and Retail
Education
Insurance
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
8.1
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all WordPress installations using the All In One Image Viewer Block plugin by checking wp-content/plugins/ directory and WordPress admin dashboard
2. Disable the plugin immediately if patch is not yet available: wp-cli plugin deactivate all-in-one-image-viewer-block
3. Review web server logs (access.log, error.log) for suspicious requests to /wp-json/image-proxy endpoints dating back 30 days
4. Check for indicators of compromise: unusual outbound connections, modified internal service data, unauthorized API calls
PATCHING GUIDANCE:
1. Update the All In One Image Viewer Block plugin to version 1.0.3 or later immediately
2. Use WordPress admin dashboard: Plugins > All In One Image Viewer Block > Update, or via wp-cli: wp plugin update all-in-one-image-viewer-block
3. Test functionality in staging environment before production deployment
4. Verify plugin update completion and version number
COMPENSATING CONTROLS (if immediate patching not possible):
1. Implement Web Application Firewall (WAF) rules to block requests to /wp-json/image-proxy endpoints
2. Restrict REST API access via .htaccess or nginx configuration to authenticated users only
3. Implement IP whitelisting for REST API endpoints if possible
4. Disable REST API entirely if not required: add define('REST_API_ENABLED', false) to wp-config.php
5. Use security plugins (Wordfence, Sucuri) to monitor and block suspicious REST API activity
DETECTION RULES:
1. Monitor for POST/GET requests to /wp-json/image-proxy with unusual URL parameters
2. Alert on requests containing internal IP addresses (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) in request parameters
3. Track outbound connections from WordPress process to non-whitelisted internal services
4. Monitor for 200 responses from /wp-json/image-proxy endpoints to unauthenticated requests
5. Implement SIEM rules to detect multiple failed attempts to access internal services via the proxy endpoint
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع تثبيتات WordPress التي تستخدم مكون All In One Image Viewer Block بالتحقق من مجلد wp-content/plugins/ ولوحة تحكم WordPress
2. تعطيل المكون فورًا إذا لم يكن التصحيح متاحًا: wp-cli plugin deactivate all-in-one-image-viewer-block
3. مراجعة سجلات خادم الويب (access.log, error.log) للطلبات المريبة إلى نقاط نهاية /wp-json/image-proxy لمدة 30 يومًا الماضية
4. التحقق من مؤشرات الاختراق: اتصالات صادرة غير عادية، بيانات الخدمة الداخلية المعدلة، استدعاءات API غير مصرح بها
إرشادات التصحيح:
1. تحديث مكون All In One Image Viewer Block إلى الإصدار 1.0.3 أو أحدث فورًا
2. استخدام لوحة تحكم WordPress: Plugins > All In One Image Viewer Block > Update، أو عبر wp-cli: wp plugin update all-in-one-image-viewer-block
3. اختبار الوظيفة في بيئة التجميع قبل نشر الإنتاج
4. التحقق من اكتمال تحديث المكون ورقم الإصدار
الضوابط البديلة (إذا لم يكن التصحيح الفوري ممكنًا):
1. تنفيذ قواعد جدار حماية تطبيقات الويب (WAF) لحظر الطلبات إلى نقاط نهاية /wp-json/image-proxy
2. تقييد وصول REST API عبر ملف .htaccess أو إعدادات nginx للمستخدمين المصرح لهم فقط
3. تنفيذ القائمة البيضاء للعناوين IP لنقاط نهاية REST API إن أمكن
4. تعطيل REST API بالكامل إذا لم تكن مطلوبة: أضف define('REST_API_ENABLED', false) إلى wp-config.php
5. استخدام مكونات الأمان (Wordfence, Sucuri) لمراقبة وحظر نشاط REST API المريب
قواعد الكشف:
1. مراقبة طلبات POST/GET إلى /wp-json/image-proxy بمعاملات عنوان URL غير عادية
2. التنبيه على الطلبات التي تحتوي على عناوين IP داخلية (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) في معاملات الطلب
3. تتبع الاتصالات الصادرة من عملية WordPress إلى الخدمات الداخلية غير المدرجة في القائمة البيضاء
4. مراقبة استجابات 200 من نقاط نهاية /wp-json/image-proxy للطلبات غير المصرح بها
5. تنفيذ قواعد SIEM للكشف عن محاولات متعددة للوصول إلى الخدمات الداخلية عبر نقطة نهاية الوكيل
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.14.2.1 - Information security requirements for supplier relationships
ECC 2024 A.13.1.3 - Segregation of networks
ECC 2024 A.14.2.5 - Addressing information security in supplier agreements
ECC 2024 A.13.2.1 - Access control to networks and network services
🔵 SAMA CSF
SAMA CSF 2.1 - Governance and Risk Management
SAMA CSF 3.2 - Access Control and Authentication
SAMA CSF 3.3 - Data Protection and Privacy
SAMA CSF 4.1 - Vulnerability Management
SAMA CSF 4.2 - Patch Management
🟡 ISO 27001:2022
ISO 27001:2022 A.5.15 - Supplier relationships
ISO 27001:2022 A.8.1 - User endpoint devices
ISO 27001:2022 A.8.2 - Privileged access rights
ISO 27001:2022 A.8.3 - Information access restriction
ISO 27001:2022 A.12.6.1 - Management of technical vulnerabilities
🟣 PCI DSS v4.0.1
PCI DSS 6.2 - Ensure security patches are installed within one month of release
PCI DSS 6.5.1 - Injection flaws prevention
PCI DSS 6.5.10 - Broken authentication prevention
PCI DSS 11.2 - Vulnerability scanning
🔗 References & Sources 3
🔗
🔗
🔗
https://plugins.trac.wordpress.org/browser/image-viewer/tags/1.0.2/image-viewer-block.p...
security@wordfence.com
https://plugins.trac.wordpress.org/changeset/3449642/image-viewer/tags/1.0.3/image-view...
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/7c3f7108-eb32-425a-a705-4f032...
security@wordfence.com