{"id":"CVE-2022-3590","details":"WordPress is affected by an unauthenticated blind SSRF in the pingback feature. Because of a TOCTOU race condition between the validation checks and the HTTP request, attackers can reach internal hosts that are explicitly forbidden.","aliases":["BIT-wordpress-2022-3590","BIT-wordpress-multisite-2022-3590"],"modified":"2026-04-10T04:49:37.137146Z","published":"2022-12-14T09:15:09.260Z","references":[{"type":"ADVISORY","url":"https://wpscan.com/vulnerability/c8814e6e-78b3-4f63-a1d3-6906a84c1f11"},{"type":"EVIDENCE","url":"https://blog.sonarsource.com/wordpress-core-unauthenticated-blind-ssrf/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/wordpress/wordpress","events":[{"introduced":"87bf150016e042bc3e21f2f1cb9de44042b8cdb1"},{"last_affected":"c927cb503affd9182a6d4d39f0cadf4e10523cda"},{"introduced":"0"},{"last_affected":"e5e791f331d371ad6262c1893d84f5f2b6c26464"}],"database_specific":{"versions":[{"introduced":"4.2"},{"last_affected":"6.1.1"},{"introduced":"0"},{"last_affected":"4.1-NA"}]}}],"versions":["4.1","6.1.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-3590.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}