Attack Vectors

The WordPress plugin Converter for Media – Optimize images | Convert WebP & AVIF (slug: webp-converter-for-media) is affected by a Medium-severity Server-Side Request Forgery (SSRF) vulnerability (CVE-2026-1356) in versions up to and including 6.5.1. Because the issue is described as unauthenticated, an attacker may not need a valid WordPress login to attempt exploitation.

In practical terms, SSRF means an attacker can try to trick your website into making network requests on their behalf. Those requests originate from your web server—so they may have access to internal network locations or services that external attackers typically cannot reach directly.

Security Weakness

According to the published advisory, the SSRF weakness exists in the plugin’s PassthruLoader::load_image_source function via the src input. This can allow an attacker to influence where the server attempts to fetch image source data from, potentially including non-public internal services.

Even at a Medium severity (CVSS 4.8), SSRF is a meaningful business risk because it can turn a public-facing marketing site into a “bridge” into internal systems—especially if the web server can reach internal admin panels, metadata endpoints, or services not intended for internet exposure.

Technical or Business Impacts

Confidentiality and integrity exposure: The CVSS vector indicates Low impacts to confidentiality and integrity, consistent with scenarios where internal services can be queried and, in some cases, information may be modified through internal endpoints. For leadership teams, this translates into possible unauthorized access to operational data, configuration details, or internal service responses that could support further attacks.

Compliance and reporting risk: If internal systems or sensitive data are reachable from the WordPress environment, an SSRF pathway can create audit findings and potential incident response obligations—particularly if logs show unusual internal requests originating from the web application.

Brand and revenue risk: Marketing sites are high-visibility assets. If SSRF is used as a stepping stone toward broader compromise, the downstream impact can include campaign disruption, loss of customer trust, and unplanned spend on emergency remediation.

Remediation: Update Converter for Media – Optimize images | Convert WebP & AVIF to 6.5.2 or a newer patched version as recommended by the advisory.

Similar attacks: SSRF has been used in major real-world incidents, including the Capital One breach (2019) and the Cloudflare outage triggered by a WAF rule change (2019), and it has been discussed as a common technique for reaching cloud metadata services such as AWS IMDS (e.g., AWS Security Bulletin AWS-2021-005).