Description
WordPress is prone to a server-side request forgery vulnerability. An attacker may leverage this issue to make the vulnerable server perform port scanning of hosts in internal or external networks; other attacks are also possible. WordPress versions ranging from 3.7 and up to (and including) 6.1.1 are vulnerable.
Remediation
Block/Turn off access to XMLRPC/pingbacks as per researchers recommandation
References
https://blog.sonarsource.com/wordpress-core-unauthenticated-blind-ssrf/
https://sploitus.com/exploit?id=WPEX-ID:C8814E6E-78B3-4F63-A1D3-6906A84C1F11
Related Vulnerabilities
Python Integer Overflow or Wraparound Vulnerability (CVE-2017-1000158)
Apache 2.x version equal to 2.0.51
WordPress Plugin InPost Gallery Multiple Vulnerabilities (2.1.2)
WordPress Plugin Post to Social Media-WordPress to Hootsuite Cross-Site Scripting (1.3.8)
WordPress Plugin Calendar Event Multi View Unspecified Vulnerability (1.3.58)