{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39630", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:57:36.651Z", "datePublished": "2026-04-08T08:30:28.416Z", "dateUpdated": "2026-04-08T08:30:28.416Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "getty-images", "product": "Getty Images", "vendor": "Getty Images", "versions": [{"lessThanOrEqual": "4.1.0", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:34.923Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Server-Side Request Forgery (SSRF) vulnerability in Getty Images Getty Images getty-images allows Server Side Request Forgery.<p>This issue affects Getty Images: from n/a through <= 4.1.0.</p>"}], "value": "Server-Side Request Forgery (SSRF) vulnerability in Getty Images Getty Images getty-images allows Server Side Request Forgery.This issue affects Getty Images: from n/a through <= 4.1.0."}], "impacts": [{"capecId": "CAPEC-664", "descriptions": [{"lang": "en", "value": "Server Side Request Forgery"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "description": "Server-Side Request Forgery (SSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:28.416Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/getty-images/vulnerability/wordpress-getty-images-plugin-4-1-0-server-side-request-forgery-ssrf-vulnerability?_s_id=cve"}], "title": "WordPress Getty Images plugin <= 4.1.0 - Server Side Request Forgery (SSRF) vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Server-Side Request Forgery (SSRF) vulnerability in Getty Images Getty Images getty-images allows Server Side Request Forgery.This issue affects Getty Images: from n/a through <= 4.1.0."}], "id": "CVE-2026-39630", "lastModified": "2026-04-08T21:26:35.910", "metrics": {}, "published": "2026-04-08T09:16:33.473", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/getty-images/vulnerability/wordpress-getty-images-plugin-4-1-0-server-side-request-forgery-ssrf-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.1.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Getty Images", "source": "cna", "vendor": "Getty Images"}, "product": "getty_images", "vendor": "getty_images"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T09:35:22.023397+00:00", "value": {"mitigation_remediation": ["Upgrade Getty Images plugin to version 4.1.1 or newer.", "If an upgrade is not immediately possible, disable or delete the Getty Images plugin from the WordPress installation."], "summary": {"action": "Patch Immediately", "impact": "Server\u2011Side Request Forgery enabling arbitrary internal requests"}, "threat_synthesis": {"affected_systems": "The affected component is the Getty Images WordPress plugin, provided by Getty Images, for all releases from the initial version through version 4.1.0. Users running any of those versions on a WordPress site are vulnerable.", "description_and_impact": "A Server\u2011Side Request Forgery flaw exists in the Getty Images WordPress plugin for versions up to and including 4.1.0. The vulnerability allows an attacker to provoke the plugin to send HTTP requests to any target specified by the attacker. The plugin\u2019s requests can be made to internal or external resources, potentially leaking sensitive data, accessing internal services, or serving as a foothold for further attacks. The weakness is classified as CWE\u2011918, a typical SSRF scenario where user input is not properly validated before being used as a request target.", "risk_and_exploitability": "The CVSS score, EPSS probability, and KEV status are not documented for this CVE. Nonetheless, the flaw can be exploited remotely by any party that can trigger a request to the WordPress instance hosting the plugin, such as via an exposed API endpoint or a crafted link. Exploitation conditions are relatively simple: the plugin must be active and the WordPress site must be reachable, after which an attacker can supply arbitrary URLs to force outbound traffic. The impact includes potential data leakage, internal network enumeration, and possible lateral movement, making the risk significant for any site that exposes the plugin to unauthenticated users."}}}}, "created": "2026-04-08T19:29:28.807436+00:00", "updated": "2026-04-08T19:41:45.478410+00:00", "vendors": ["getty_images", "getty_images$PRODUCT$getty_images", "wordpress", "wordpress$PRODUCT$wordpress"]}