Websites that use WordPress in the last version 6.1.1 are vulnerable to CVE-2022-3590 when XML-RPC is enabled or pingbacks.
What can happen
A WordPress site can be forced to run requests to systems on the internal network to reveal sensitive server information with blind Server Side Request Forgery (SSRF) through reconnections DNS.
The probability of exploiting this vulnerability is considered low.
What you have to do
It is recommended that you apply one of the following options:
The safest option is to disable xmlrpc.php. This should only be applied if you are not using the XML-RPC protocol:
Disable xmlrpc.php simply with a rename, or a command in .htaccess, or ngnix. If this all sounds Chinese to you, search for “xmlrpc” to install a plugin that disables it.
A less secure option is to disable Pingbacks. This is recommended if WordPress depends on XML-RPC.
Disable WordPress pingbacks from your dashboard
We await information from WordPress, which will be installed automatically.