High severity8.6NVD Advisory· Published Aug 7, 2016· Updated May 6, 2026

CVE-2016-4029

Description

WordPress before 4.5 does not consider octal and hexadecimal IP address formats when determining an intranet address, which allows remote attackers to bypass an intended SSRF protection mechanism via a crafted address.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

core.trac.wordpress.org/querynvdPatch
www.securitytracker.com/id/1036594nvdBroken LinkThird Party AdvisoryVDB Entry
codex.wordpress.org/Version_4.5nvdRelease Notes
www.debian.org/security/2016/dsa-3681nvdMailing List
wpvulndb.com/vulnerabilities/8473nvdBroken Link

News mentions

No linked articles in our index yet.

cvss	0.559
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000