{"id":"CVE-2016-4029","details":"WordPress before 4.5 does not consider octal and hexadecimal IP address formats when determining an intranet address, which allows remote attackers to bypass an intended SSRF protection mechanism via a crafted address.","modified":"2026-03-15T14:19:11.159300Z","published":"2016-08-07T16:59:00.143Z","references":[{"type":"WEB","url":"https://wpvulndb.com/vulnerabilities/8473"},{"type":"ADVISORY","url":"http://codex.wordpress.org/Version_4.5"},{"type":"ADVISORY","url":"http://www.securitytracker.com/id/1036594"},{"type":"FIX","url":"https://core.trac.wordpress.org/query?status=closed&milestone=4.5"},{"type":"ARTICLE","url":"http://www.debian.org/security/2016/dsa-3681"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/wordpress/wordpress","events":[{"introduced":"0"},{"fixed":"e3aafee3f2bc07e09bf79389f20ea3db731466c3"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"4.5"}]}}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-4029.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"8.0"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N"}]}