Description

WordPress is affected by an unauthenticated blind SSRF in the pingback feature. Because of a TOCTOU race condition between the validation checks and the HTTP request, attackers can reach internal hosts that are explicitly forbidden.

Remediation

References

CVE-2022-3590

Related Vulnerabilities

PostgreSQL Permissions, Privileges, and Access Controls Vulnerability (CVE-2005-0244)

WordPress 4.9.x PHP Object Injection (4.9 - 4.9.17)

JBoss Application Server Improper Privilege Management Vulnerability (CVE-2012-2312)

WordPress Plugin Visualizer:Tables and Charts Manager for WordPress Cross-Site Scripting (3.9.1)

WordPress Plugin Image News slider Arbitrary File Upload (3.5)

Severity

Medium

Classification

CVE-2022-3590 CWE-367 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Tags

Missing Update Known Vulnerabilities