CVE-2022-3590

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-3590

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-3590.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2022-3590

Aliases

Downstream

DEBIAN-CVE-2022-3590

UBUNTU-CVE-2022-3590

Published

2022-12-14T09:15:09Z

Modified

2025-10-14T15:33:40Z

Severity

5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

WordPress is affected by an unauthenticated blind SSRF in the pingback feature. Because of a TOCTOU race condition between the validation checks and the HTTP request, attackers can reach internal hosts that are explicitly forbidden.

References

Affected packages

Git / github.com/wordpress/wordpress

Affected ranges

Type: GIT
Repo: https://github.com/wordpress/wordpress
Events: Introduced

87bf150016e042bc3e21f2f1cb9de44042b8cdb1

Last affected

c927cb503affd9182a6d4d39f0cadf4e10523cda

Last affected

e5e791f331d371ad6262c1893d84f5f2b6c26464

Type: GIT
Repo: https://github.com/wordpress/wordpress-develop
Events: Introduced

7b07c0ccc7453ce057e009ffa65f12a02ce7d2ee

Last affected

031cedc06d612c4a74f7b6d3e77d8145f2954a25

Last affected

470529c2bf211450e91f01ceadaa9fc97a2b4031