{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39630", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:57:36.651Z", "datePublished": "2026-04-08T08:30:28.416Z", "dateUpdated": "2026-04-29T09:52:02.938Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "getty-images", "product": "Getty Images", "vendor": "Getty Images", "versions": [{"lessThanOrEqual": "4.1.0", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:34.923Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Server-Side Request Forgery (SSRF) vulnerability in Getty Images Getty Images getty-images allows Server Side Request Forgery.<p>This issue affects Getty Images: from n/a through <= 4.1.0.</p>"}], "value": "Server-Side Request Forgery (SSRF) vulnerability in Getty Images Getty Images getty-images allows Server Side Request Forgery.This issue affects Getty Images: from n/a through <= 4.1.0."}], "impacts": [{"capecId": "CAPEC-664", "descriptions": [{"lang": "en", "value": "Server Side Request Forgery"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "description": "Server-Side Request Forgery (SSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-29T09:52:02.938Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/getty-images/vulnerability/wordpress-getty-images-plugin-4-1-0-server-side-request-forgery-ssrf-vulnerability?_s_id=cve"}], "title": "WordPress Getty Images plugin <= 4.1.0 - Server Side Request Forgery (SSRF) vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-14T14:40:24.677827Z", "id": "CVE-2026-39630", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T14:40:51.531Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-39630", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T14:40:24.677827Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T14:39:29.098Z"}}], "cna": {"title": "WordPress Getty Images plugin <= 4.1.0 - Server Side Request Forgery (SSRF) vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-664", "descriptions": [{"lang": "en", "value": "Server Side Request Forgery"}]}], "affected": [{"vendor": "Getty Images", "product": "Getty Images", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "4.1.0"}], "packageName": "getty-images", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-08T10:28:34.923Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/getty-images/vulnerability/wordpress-getty-images-plugin-4-1-0-server-side-request-forgery-ssrf-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Server-Side Request Forgery (SSRF) vulnerability in Getty Images Getty Images getty-images allows Server Side Request Forgery.This issue affects Getty Images: from n/a through <= 4.1.0.", "supportingMedia": [{"type": "text/html", "value": "Server-Side Request Forgery (SSRF) vulnerability in Getty Images Getty Images getty-images allows Server Side Request Forgery.<p>This issue affects Getty Images: from n/a through <= 4.1.0.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:28.416Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39630", "state": "PUBLISHED", "dateUpdated": "2026-04-14T14:40:51.531Z", "dateReserved": "2026-04-07T10:57:36.651Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-04-08T08:30:28.416Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Server-Side Request Forgery (SSRF) vulnerability in Getty Images Getty Images getty-images allows Server Side Request Forgery.This issue affects Getty Images: from n/a through <= 4.1.0."}], "id": "CVE-2026-39630", "lastModified": "2026-04-24T18:06:24.707", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-08T09:16:33.473", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/getty-images/vulnerability/wordpress-getty-images-plugin-4-1-0-server-side-request-forgery-ssrf-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.1.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Getty Images", "source": "cna", "vendor": "Getty Images"}, "product": "getty_images", "vendor": "getty_images"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-14T16:41:19.847148+00:00", "value": {"mitigation_remediation": ["Update the Getty Images plugin to version 4.1.1 or later and verify that the update has been applied correctly.", "If an update cannot be performed immediately, disable the Getty Images plugin from WordPress until a patch is applied.", "Configure the host firewall or use a dedicated outbound request limiting plugin to block the WordPress installation from making HTTP requests to internal network ranges or to untrusted destinations.", "Monitor WordPress access logs and server logs for unusual outbound HTTP requests and investigate any anomalies promptly."], "summary": {"action": "Immediate Patch", "impact": "Server-side request forgery enabling attackers to force unused or malicious external requests from the affected WordPress site"}, "threat_synthesis": {"affected_systems": "WordPress installations that use the Getty Images plugin version 4.1.0 or earlier are affected. Any site that has not upgraded beyond 4.1.0 (or migrated to a newer plugin version) remains vulnerable.", "description_and_impact": "The Getty Images WordPress plugin contains an SSRF flaw that allows an attacker to supply a custom URL that the server will resolve and fetch without proper validation. This weakness can lead to unauthorized disclosure of data, internal network reconnaissance, or interaction with internal services, depending on the target URLs accessed. The vulnerability is identified as CWE\u2011918 and is documented as existing in all releases up to and including version 4.1.0.", "risk_and_exploitability": "The CVSS score of 6.4 indicates a moderate severity, and an EPSS score of less than 1% suggests the likelihood of exploitation is low at present. The vulnerability does not appear in CISA\u2019s KEV catalog. Attackers could exploit the flaw via a web request to the plugin\u2019s endpoint, potentially forcing the server to contact arbitrary internal or external resources. No public exploit code is documented, but the path to exploitation is straightforward and only requires web access to the vulnerable plugin endpoint."}}}}, "created": "2026-04-08T19:29:28.807436+00:00", "updated": "2026-04-14T16:41:31.058466+00:00", "vendors": ["getty_images", "getty_images$PRODUCT$getty_images", "wordpress", "wordpress$PRODUCT$wordpress"]}