Unrated severityNVD Advisory· Published Dec 14, 2022· Updated Apr 21, 2025

WP <= 6.1.1 - Unauthenticated Blind SSRF via DNS Rebinding

CVE-2022-3590

Description

WordPress is affected by an unauthenticated blind SSRF in the pingback feature. Because of a TOCTOU race condition between the validation checks and the HTTP request, attackers can reach internal hosts that are explicitly forbidden.

Affected products

osv-coords2 versions
pkg:bitnami/wordpress pkg:bitnami/wordpress-multisite
>= 4.1.0, < 4.1.1+ 1 more
- (no CPE)range: >= 4.1.0, < 4.1.1
- (no CPE)range: >= 4.1.0, < 4.1.1
WordPress/WordPressv5
Range: 4.1.30
Package: https://wordpress.org/plugins/wordpress

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

wpscan.com/vulnerability/c8814e6e-78b3-4f63-a1d3-6906a84c1f11mitreexploitvdb-entrytechnical-description
blog.sonarsource.com/wordpress-core-unauthenticated-blind-ssrf/mitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.072
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000