Description
PHP-FPM (FastCGI Process Manager) is an alternative PHP FastCGI implementation. PHP-FPM has a feature that allows setting up a status page to view that status of a PHP-FPM pool, configurable using the option pm.status_path.
On this server the PHP-FPM Status Page is publicly accessible. For security reasons, its recommended to keep your PHP-FPM status page private.
Remediation
For security reasons, its recommended to keep your PHP-FPM status page private. You can restrict access to certain IP addresses by using the allow keyword as shown below:
location ~ ^/(status|ping)$ { access_log off; allow 127.0.0.1; allow 1.2.3.4#your-ip; deny all; include fastcgi_params; fastcgi_pass 127.0.0.1:9000; }
References
Related Vulnerabilities
WordPress Plugin BulletProof Security Information Disclosure (5.1)
WordPress 5.6.x Multiple Vulnerabilities (5.6 - 5.6.9)
WordPress Plugin Save Contact Form 7 Information Disclosure (2.0)
GoCD information disclosure (CVE-2021-43287)
WordPress Plugin Correos Woocommerce Arbitrary File Download (1.3.0.0)