CVE-2022-3590

Name of the Vulnerable Software and Affected Versions WordPress versions prior to 6.1 WordPress versions 6.1 through 6.2 WordPress versions 6.1 through 6.9.1

Description WordPress is susceptible to an unauthenticated blind Server-Side Request Forgery (SSRF) issue within the pingback feature. This is due to a Time-of-Check-to-Time-of-Use (TOCTOU) race condition occurring between the validation checks and the HTTP request. This allows attackers to access internal hosts that are explicitly prohibited. Exploitation can involve DNS rebinding. Potential impacts include internal reconnaissance and port scanning on ports such as 80, 443, and 8080, and access to cloud metadata if DNS redirects to addresses like 169.254.169.254. Remote Code Execution (RCE) is unlikely without chaining this issue with other internal vulnerabilities. The /xmlrpc.php endpoint is involved in this issue. The pingback feature is the source of the problem.

Recommendations For WordPress versions prior to 6.1, at the moment, there is no information about a newer version that contains a fix for this vulnerability. For WordPress versions 6.1 through 6.2, at the moment, there is no information about a newer version that contains a fix for this vulnerability. For WordPress versions 6.1 through 6.9.1, disable XML-RPC via plugin or .htaccess. As an alternative, uncheck "Allow link notifications from other blogs (pingbacks and trackbacks) on new posts" in the Discussion Settings to disable pingbacks.