WP Core Vulnerability JAN 2023:
still no fix in latest version Version 6.1.1
For your WordPress protection, be informed about the LATEST WP Core Vulnerability JAN 2023. ALL WordPress versions are affected by an unauthenticated blind SSRF in the pingback feature. Because of a TOCTOU race condition between the validation checks and the HTTP request, attackers can reach internal hosts that are explicitly forbidden.
This vulnerability was reported to WordPress on January 21, 2022. Yeah, you read it correctly, a year ago! Yet it got “accepted publicly” and confirmed only October 10, 2022. CVE-2022-3590 proves that: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3590.
This issue was first reported about six years ago in January 2017 by another researcher and numerous others over the years. This was ignored throughout the years, as clean, stand-alone WP instance cannot be taken over without relying on other vulnerable services. Because of its low impact as-is, and the need to chain it to additional vulnerabilities in third-party software, everybody involved believes this issue won’t endanger WordPress users and can only FORCE them to harden their instances.
Yet, these needed additional vulnerabilities in third-party software ARE PRESENT at the hosting infrastructure level. To be protected, hosting needs to either convince you to disable default settings inside your WordPress – either to do it without your consent. If these are not real-life options, then in reality remains for you to either learn about these vulnerabilities and learn how to protect your WordPress or choose managed WP Security services, that are specifically for these “reappearing” cases.
Read more about this here: WordPress Core – Unauthenticated Blind SSRF.
