CVE-2022-3590: WordPress 6.1.1 – Unauth. Blind SSRF (0day)

Websites using WordPress on the latest version 6.1.1 are vulnerable to CVE-2022-3590 when XML-RPC or pingbacks are enabled.

wordpress colorful

What can happen

A WordPress site can be forced to run requests to systems on the internal network to reveal sensitive server information with blind Server Side Request Forgery (SSRF) via DNS rebinding.

The probability of exploiting this vulnerability is considered low.

What you have to do

It is recommended that you apply one of the following options:

The safest option is to disable xmlrpc.php. This should only be applied if you are not using the XML-RPC protocol:
Disable xmlrpc.php simply with a rename, or a command in .htaccess, or ngnix. If this all sounds Chinese to you, search for “xmlrpc” to install a plugin that disables it.

A less secure option is to disable Pingbacks. This is recommended if WordPress depends on XML-RPC.
Disable WordPress pingbacks from your dashboard

We are waiting for an update from WordPress, which will be installed automatically.

iGuRu.gr The Best Technology Site in Greece
Follow us on Google News

pingbackswordpressXML-RPC

wordpress, XML-RPC, pingbacks

Written by giorgos

George still wonders what he's doing here ...

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).