CVE-2022-3590
published 2022-12-14CVE-2022-3590: WordPress is affected by an unauthenticated blind SSRF in the pingback feature. Because of a TOCTOU race condition between the validation checks and the HTTP…
PriorityP278medium5.9CVSS 3.1
AVNACHPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
3.15%
86.3th percentile
WordPress is affected by an unauthenticated blind SSRF in the pingback feature. Because of a TOCTOU race condition between the validation checks and the HTTP request, attackers can reach internal hosts that are explicitly forbidden.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | wordpress | — | — |
| wordpress | wordpress | — | — |
| wordpress | wordpress | 4.1.30 – 6.1.1 | — |
| wordpress | wordpress | 4.2 – 6.1.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
urlhttp://{{interactsh-url}}/
url{{RootURL}}/?p=1
- →Exploit targets the XML-RPC pingback.ping method; detect POST requests to /xmlrpc.php invoking 'pingback.ping' with an out-of-band callback URL as the first parameter.
- →A successful probe returns HTTP 200 with a text/xml content-type body containing 'faultCode', indicating the pingback was processed (even if faulted). Monitor for this response pattern on WordPress xmlrpc.php endpoints.
- →Out-of-band DNS interaction is the confirmation signal for successful SSRF exploitation; correlate DNS callbacks from WordPress server IPs against pingback.ping requests.
- →The vulnerability is a TOCTOU race condition between validation checks and the HTTP request in the pingback feature, allowing attackers to reach internal hosts that are explicitly forbidden. ↗
- ·The SSRF is unauthenticated and blind — no direct response data is returned to the attacker; detection must rely on out-of-band (OOB) DNS/HTTP callback monitoring rather than response body inspection alone. ↗
- ·As of the Debian security tracker, this CVE remains open (unpatched) across bookworm, bullseye, forky, sid, and trixie — WordPress installations on Debian-based systems should be treated as vulnerable regardless of OS patch level. ↗
CVSS provenance
nvdv3.15.9MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
osv5.9MEDIUM
vulncheck5.9MEDIUM
vendor_redhat7.1HIGH
vendor_debian5.9MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-mjj5-7gmf-mfjx: WordPress is affected by an unauthenticated blind SSRF in the pingback feature
ghsa_unreviewed·2022-12-14
CVE-2022-3590 [MEDIUM] CWE-367 GHSA-mjj5-7gmf-mfjx: WordPress is affected by an unauthenticated blind SSRF in the pingback feature
WordPress is affected by an unauthenticated blind SSRF in the pingback feature. Because of a TOCTOU race condition between the validation checks and the HTTP request, attackers can reach internal hosts that are explicitly forbidden.
OSV
CVE-2022-3590: WordPress is affected by an unauthenticated blind SSRF in the pingback feature
osv·2022-12-14·CVSS 5.9
CVE-2022-3590 [MEDIUM] CVE-2022-3590: WordPress is affected by an unauthenticated blind SSRF in the pingback feature
WordPress is affected by an unauthenticated blind SSRF in the pingback feature. Because of a TOCTOU race condition between the validation checks and the HTTP request, attackers can reach internal hosts that are explicitly forbidden.
VulnCheck
WordPress wordpress Time-of-check Time-of-use (TOCTOU) Race Condition
vulncheck·2022·CVSS 5.9
CVE-2022-3590 [MEDIUM] WordPress wordpress Time-of-check Time-of-use (TOCTOU) Race Condition
WordPress wordpress Time-of-check Time-of-use (TOCTOU) Race Condition
WordPress is affected by an unauthenticated blind SSRF in the pingback feature. Because of a TOCTOU race condition between the validation checks and the HTTP request, attackers can reach internal hosts that are explicitly forbidden.
Affected: WordPress wordpress
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://media.defense.gov/2024/Sep/18/2003547016/-1/-1/0/CSA-PRC-LINKED-ACTORS-BOTNET.PDF
Exploit PoC: https://vulncheck.com/xdb/292b473a5732; https://vulncheck.com/xdb/d6dcacf8755d
Debian
CVE-2022-3590: wordpress - WordPress is affected by an unauthenticated blind SSRF in the pingback feature. ...
vendor_debian·2022·CVSS 5.9
CVE-2022-3590 [MEDIUM] CVE-2022-3590: wordpress - WordPress is affected by an unauthenticated blind SSRF in the pingback feature. ...
WordPress is affected by an unauthenticated blind SSRF in the pingback feature. Because of a TOCTOU race condition between the validation checks and the HTTP request, attackers can reach internal hosts that are explicitly forbidden.
Scope: local
bookworm: open
bullseye: open
forky: open
sid: open
trixie: open
No detection rules found.
Nuclei
WordPress <= 6.2 - Server Side Request Forgery
nuclei·CVSS 5.9
CVE-2022-3590 [MEDIUM] WordPress <= 6.2 - Server Side Request Forgery
WordPress
pingback.ping
http://{{interactsh-url}}/
{{RootURL}}/?p=1
matchers:
- type: dsl
dsl:
- "status_code == 200"
- "contains_all(body, '','faultCode','')"
- "contains(content_type, 'text/xml')"
- "contains(interactsh_protocol, 'dns')"
condition: and
# digest: 4a0a004730450221009b240bf9162eb34bb0d5fe482379a9c3c5a11408164cd8f6b920298791e46a95022031f0483073fac7b66261897dd83adaf5088017fb2029b6ecf0b6432dafadb9a4:922c64590222798bb761d5b6d8e72950
No writeups or analysis indexed.
2022-12-14
Published
Exploited in the wild