PT-2016-5073 · WordPress · Wordpress

Ronni Skansing

Published

2016-02-08

Updated

2017-11-04

CVE-2016-2222

CVSS v3.1

8.6

High

Vector

AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions WordPress versions prior to 4.4.2

Description The issue allows remote attackers to conduct server-side request forgery (SSRF) attacks. This is achieved by providing a zero value in the first octet of an IPv4 address in the u parameter to the "/wp-admin/press-this.php" API endpoint.

Recommendations For versions prior to 4.4.2, update to version 4.4.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/wp-admin/press-this.php" API endpoint until the update is applied. Avoid using the u parameter in the affected API endpoint until the issue is resolved.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2016-2222

DLA-418-1

DSA-3472-1

Affected Products

Wordpress

PT-2016-5073 · WordPress · Wordpress

CVE-2016-2222

Related Identifiers

Affected Products

References · 24