CVE-2022-3590 WordPress SSRF vulnerability

Situation

WordPress instances below version 6.1.1 are vulnerable to CVE-2022-3590 when XML-RPC or pingbacks is enabled.

Description

WordPress is affected by an unauthenticated blind SSRF in the pingback feature. Because of a TOCTOU race condition between the validation checks and the HTTP request, attackers could reach internal hosts that would otherwise be explicitly forbidden.

References

CVE - CVE-2022-3590
URL - https://blog.sonarsource.com/wordpress-core-unauthenticated-blind-ssrf/ <= Full information is available here.

Impact

A WordPress website can be caused to execute requests to systems in internal network to reveal sensitive information of the server with blind Server Side Request Forgery (SSRF) via DNS Rebinding.

The probability of exploitation of this vulnerability is considered low.

Fix

No fix is available at this time.

Mitigation

Until WordPress developers resolve the issue, it is recommended to mitigate the vulnerability with one of the following options:

  1. The most secure option is to disable XML-RPC [kb link]

  2. A less secure option is to disable Pingbacks [kb link]

Note

At the moment, the warning about this vulnerability will remain in WordPress Toolkit with any above option applied

  • Security, CVE, XML-RPC, Pingbacks
  • 0 Users Found This Useful
Was this answer helpful?

Related Articles

How to disable pingbacks

What is a WordPress pingback? A WordPress pingback is a notification that WordPress sends to...

How to disable XML-RPC

Read First - Should You Disable XML-RPC on WordPress?   Options for disabling XML-RPC Plugin...