CVE-2022-3590

WordPress is affected by an unauthenticated blind SSRF in the pingback feature. Because of a TOCTOU race condition between the validation checks and the HTTP request, attackers can reach internal hosts that are explicitly forbidden.

Published: Dec 14, 2022
Updated: Jun 29, 2025
CVE: CVE-2022-3590
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.9
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CWEs:

CWE-367
CWE-918

Affected Software
References

Software	From	Fixed in
WordPress / wordpress	4.2	6.1.1.x
WordPress / wordpress	4.1	4.1.x
WordPress / wordpress	-	-

https://blog.sonarsource.com/wordpress-core-unauthenticated-blind-ssrf/
https://wpscan.com/vulnerability/c8814e6e-78b3-4f63-a1d3-6906a84c1f11

Vulnerability Database

289,599

CVE-2022-3590