WordPress Core - Unauthenticated Blind SSRF via DNS Rebinding
WordPress Core version up to 6.1.1 is affected by Unauthenticated Blind SSRF in a pingback feature via DNS Rebinding. The impact of this vulnerability is low.
The resulting vulnerability is due to a race condition known as Time-of-Check-Time-of-Use (TOC-TOU) between HTTP requests and validation checks. This can be used in mitigating against Server Side Request Forgery(SSRF).An attacker can change the domain to point to a different address than the one that was validated before, allowing them to reach the internal hosts that are explicitly forbidden.
Pingbacks is the notification sent to the blog author when other “friend” blogs link to a specific article. They are displayed with the comments and are open to acceptance and rejection. The pingback functionality is exposed on the XML-RPC API of wordpress, an API expecting XML documents with a function and arguments selected by the client.
DNS rebinding is a method of manipulating resolution of domain names that is commonly used as a form of computer attack. In this attack, a malicious web page causes visitors to run a client-side script that attacks machines elsewhere on the network.
- <= 6.1.1
- 4.0 (Medium)
Attackers can change the domain in a pingback request to point to a different address than the one validated before.
Expose hosts that should not be reachable on a server.
Disable xmlrpc.php at the web server level until the patch is available (Patch is not released yet).