EPSS
Percentile
76.6%
WordPress is vulnerable to the wrong hostname assumption. The wp_http_validate_url() function wrongly treats the URLs with the hostname= localhost as the same host by default.
wp_http_validate_url()
localhost
core.trac.wordpress.org/changeset/42894
github.com/johnpbloch/wordpress-core/commit/883414dbd7662c147aa76eaabf5bb8f8686eecd2
wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/