cbcvebase.
CVE-2022-3590
published 2022-12-14

CVE-2022-3590: WordPress is affected by an unauthenticated blind SSRF in the pingback feature. Because of a TOCTOU race condition between the validation checks and the HTTP…

PriorityP278medium5.9CVSS 3.1
AVNACHPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
3.15%
86.3th percentile
WordPress is affected by an unauthenticated blind SSRF in the pingback feature. Because of a TOCTOU race condition between the validation checks and the HTTP request, attackers can reach internal hosts that are explicitly forbidden.

Affected

4 ranges
VendorProductVersion rangeFixed in
debianwordpress
wordpresswordpress
wordpresswordpress4.1.30 – 6.1.1
wordpresswordpress4.2 – 6.1.1

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://{{interactsh-url}}/
url{{RootURL}}/?p=1
  • Exploit targets the XML-RPC pingback.ping method; detect POST requests to /xmlrpc.php invoking 'pingback.ping' with an out-of-band callback URL as the first parameter.
  • A successful probe returns HTTP 200 with a text/xml content-type body containing 'faultCode', indicating the pingback was processed (even if faulted). Monitor for this response pattern on WordPress xmlrpc.php endpoints.
  • Out-of-band DNS interaction is the confirmation signal for successful SSRF exploitation; correlate DNS callbacks from WordPress server IPs against pingback.ping requests.
  • The vulnerability is a TOCTOU race condition between validation checks and the HTTP request in the pingback feature, allowing attackers to reach internal hosts that are explicitly forbidden.
  • ·The SSRF is unauthenticated and blind — no direct response data is returned to the attacker; detection must rely on out-of-band (OOB) DNS/HTTP callback monitoring rather than response body inspection alone.
  • ·As of the Debian security tracker, this CVE remains open (unpatched) across bookworm, bullseye, forky, sid, and trixie — WordPress installations on Debian-based systems should be treated as vulnerable regardless of OS patch level.

CVSS provenance

nvdv3.15.9MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
osv5.9MEDIUM
vulncheck5.9MEDIUM
vendor_redhat7.1HIGH
vendor_debian5.9MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.