Description

WordPress is affected by an unauthenticated blind SSRF in the pingback feature. Because of a TOCTOU race condition between the validation checks and the HTTP request, attackers can reach internal hosts that are explicitly forbidden.

Remediation

References

CVE-2022-3590

Related Vulnerabilities

WordPress Plugin Clean Login Cross-Site Request Forgery (1.7.12)

Jenkins Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Vulnerability (CVE-2018-1000863)

PostgreSQL Permissions, Privileges, and Access Controls Vulnerability (CVE-2005-0244)

Ampache Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2024-51487)

Atlassian Confluence Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Vulnerability (CVE-2019-3396)

Severity

Medium

Classification

CVE-2022-3590 CWE-367 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Tags

Missing Update Known Vulnerabilities