CVE-2016-2222 — Server-Side Request Forgery in Wordpress

7 documents5 sources

Severity

8.6HIGHNVD

EPSS

5.2%

top 10.09%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wordpress Debian Wordpress

Timeline

PublishedMay 22

Latest updateMay 17

Description

The wp_http_validate_url function in wp-includes/http.php in WordPress before 4.4.2 allows remote attackers to conduct server-side request forgery (SSRF) attacks via a zero value in the first octet of an IPv4 address in the u parameter to wp-admin/press-this.php.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:NExploitability: 3.9 | Impact: 4.0

Affected Packages3 packages

▶debiandebian/wordpress< wordpress 4.4.2+dfsg-1 (bookworm)

▶Debianwordpress/wordpress< 4.4.2+dfsg-1+3

▶NVDwordpress/wordpress4.4.1

Patches

Patch: codex.wordpress.org ↗Patch: wordpress.org ↗Patch: codex.wordpress.org ↗

🔴Vulnerability Details

GHSA

GHSA-5r7p-x5gj-698r: The wp_http_validate_url function in wp-includes/http↗2022-05-17

▶

OSV

CVE-2016-2222: The wp_http_validate_url function in wp-includes/http↗2016-05-22

▶

📋Vendor Advisories

Debian

CVE-2016-2222: wordpress - The wp_http_validate_url function in wp-includes/http.php in WordPress before 4....↗2016

▶

💬Community

Bugzilla

CVE-2016-2221 CVE-2016-2222 wordpress: SSRF and open redirect issues fixed in 4.4.2 [epel-all]↗2016-02-08

▶

Bugzilla

CVE-2016-2221 CVE-2016-2222 wordpress: SSRF and open redirect issues fixed in 4.4.2↗2016-02-08

▶

Bugzilla

CVE-2016-2221 CVE-2016-2222 wordpress: SSRF and open redirect issues fixed in 4.4.2 [fedora-all]↗2016-02-08

▶