The websites they use WordPress in the latest version 6.1.1 are vulnerable to CVE-2022-3590 when XML-RPC or pingbacks are enabled.
What can happen
A WordPress site can be forced to run requests on systems on the internal network to reveal sensitive server information by blind server-side request forgery (Server Side SSRF Request Forgery) via DNS reconnection.
The possibility of exploiting this vulnerabilitys is considered low.
What you have to do
It is recommended that you apply one of the following options:
The safest option is to disable xmlrpc.php. This should only be applied if you are not using the XML-RPC protocol:
Disable xmlrpc.php simply with a rename, or a command in .htaccess, or ngnix. If this all sounds Chinese to you, search for “xmlrpc” to install a plugin that disables it.
A less secure option is to disable Pingbacks. This is recommended if WordPress depends on XML-RPC.
Disable WordPress pingbacks from your dashboard
We are waiting for an update from WordPress, which will be installed automatically.