CVE-2022-3590

WP <= 6.1.1 - Unauthenticated Blind SSRF via DNS Rebinding

Severity Score

5.9

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

WordPress is affected by an unauthenticated blind SSRF in the pingback feature. Because of a TOCTOU race condition between the validation checks and the HTTP request, attackers can reach internal hosts that are explicitly forbidden.

WordPress se ve afectado por blind SSRF no autenticado en la función de pingback. Debido a una condición de ejecución TOCTOU entre las comprobaciones de validación y la solicitud HTTP, los atacantes pueden llegar a hosts internos que están explícitamente prohibidos.

WordPress Core, in all known versions is vulnerable to blind Server-Side Request Forgery in its pingback feature. This is due to a Time-of-Check-Time-of-Use (TOC-TOU) race condition between validation checks and HTTP requests that makes it possible for URLs to be validated and then changed before being used by the software. This makes it possible for an attacker to change the domain in a pingback request to point to a different address than the one validated before, thus exposing hosts that should not be reachable on a server. The original researcher couldn't identify any ways to exploit this to take over vulnerable sites without other vulnerable services on the site meaning this would be difficult to exploit. The issue was first reported in 2017 and it's recommendd to block xmlrpc.php at the web server level, if not in use to prevent this from being exploited.

*Credits: Thomas Chauchefoin, WPScan

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-09-06 CVE Published
2022-10-18 CVE Reserved
2023-06-12 First Exploit
2024-07-06 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition
CWE-918: Server-Side Request Forgery (SSRF)

CAPEC

References (4)

URL	Tag	Source

URL	Date	SRC
https://github.com/hxlxmjxbbxs/CVE-2022-3590-WordPress-Vulnerability-Scanner	2023-06-12
https://github.com/huynhvanphuc/CVE-2022-3590-WordPress-Vulnerability-Scanner	2023-06-12
https://blog.sonarsource.com/wordpress-core-unauthenticated-blind-ssrf	2024-08-03
https://wpscan.com/vulnerability/c8814e6e-78b3-4f63-a1d3-6906a84c1f11	2024-08-03

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				>= 4.2 <= 6.1.1 Search vendor "Wordpress" for product "Wordpress" and version " >= 4.2 <= 6.1.1"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				4.1 Search vendor "Wordpress" for product "Wordpress" and version "4.1"		-		Affected