Description

WordPress is affected by an unauthenticated blind SSRF in the pingback feature. Because of a TOCTOU race condition between the validation checks and the HTTP request, attackers can reach internal hosts that are explicitly forbidden.

Remediation

References

CVE-2022-3590

Related Vulnerabilities

WordPress Plugin WP Prayer Cross-Site Request Forgery (1.5.4)

XWiki Incorrect Authorization Vulnerability (CVE-2022-23615)

WordPress Plugin Contact Form 7 Cross-Site Scripting (4.0.1)

WordPress Plugin 404 to 301-Redirect, Log and Notify 404 Errors Cross-Site Scripting (2.3.1)

Oracle HTTP Server Out-of-bounds Write Vulnerability (CVE-2021-44790)

Severity

Medium

Classification

CVE-2022-3590 CWE-367 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Tags

Missing Update Known Vulnerabilities