WordPress instances below version 6.1.1 are vulnerable to CVE-2022-3590 when XML-RPC or pingbacks is enabled.
WordPress is affected by an unauthenticated blind SSRF in the pingback feature. Because of a TOCTOU race condition between the validation checks and the HTTP request, attackers could reach internal hosts that would otherwise be explicitly forbidden.
-- Updated 9 Mar 2023 --
We are all still waiting for Wordpress developers to fix the root cause of the vulnerability, The vulnerability is on the list of issues to be fixed, but as it is deemed low risk and its has the potential to break many thrid-party plugins, and is also has dependencies on the Request libraries that are currently being updated will complicate matters.
For now the best action to take is to disable only 'pingbacks' or also entirely block access to XML-RPC.
Your cPanel account has access to Wordpress Toolkit, which now has an option the Mitigate* the SSRF vulnerability.
Or read the above kb link for the existing methods to Mitigate* the SSRF vulnerability.
* The term 'Mitigated' is used to indicate that the vulnerability still exists, but steps have been taken to stop or reduce the risk.
Monday, December 19, 2022