Articles in this section

See more

CVE-2022-3590: WordPress <= 6.1.1 - Unauth. Blind SSRF vulnerability

Avatar
Benjamin Weßel
Updated
Follow
kb: technical ext: wptk

Situation

WordPress instances below version 6.1.1 are vulnerable to CVE-2022-3590 when XML-RPC or pingbacks is enabled.

Impact

A WordPress website can be caused to execute requests to systems in internal network to reveal sensitive information of the server with blind Server Side Request Forgery (SSRF) via DNS Rebinding.

The probability of exploitation of this vulnerability is considered low.

Call to action

It is recommended to mitigate the vulnerability with one of the following options:

  • The most secure option is to disable xmlrpc.php. This should be applied only when the WordPress instance does not rely on XML-RPC:

    Disable xmlrpc.php

    1. Log into Plesk

    2. Open WordPress > example.com > Fix vulnerabilities > Security Measures

    3. Select Block unauthorized access to xmlrpc.php and click Secure

    4. Repeat the steps 2.-3. for all other WordPress instances hosted on the server

  • A less secure option is to disable Pingbacks. This is advised if WordPress depends on XML-RPC:

    Turn off WordPress pingbacks

    1. Log into Plesk

    2. Open WordPress > example.com > Fix vulnerabilities > Security Measures

    3. Select Turn off pingbacks and click Secure

    4. Repeat the steps 2.-3. for all other WordPress instances hosted on the server

Note: At the moment, the warning about this vulnerability will remain in WordPress Toolkit with any above option applied.

Comments

8 comments

Sort by Date Votes
  • Avatar
    Stephan Busch

    tried and it doesn't work!

    3
    Comment actions Permalink
  • Avatar
    Bruno Vinci

    already disabled xmlrpc and pingback and it doesn't work.

    0
    Comment actions Permalink
  • Avatar
    Benjamin Weßel

    Hello Stephan Busch, Bruno Vinci,

    please open a support ticket so we can check for what reason the steps did not work.

    If you applied the solutions, but the vulnerability is still shown, note that in both cases "Disable xmlrpc.php" and "Turn off WordPress pingbacks" the vulnerability will still be shown in WordPress Toolkit.

    0
    Comment actions Permalink
  • Avatar
    Nawid Haidari (Edited )

    I tried both steps, but it also did not fix the issue with my WordPress installation.

    1
    Comment actions Permalink
  • Avatar
    Nawid Haidari

    I can not submit a support ticket since my license is with IONOS reseller. I would appreciate any help to get this vulnerability fixed.

     

    1
    Comment actions Permalink
  • Avatar
    Bruno Vinci

    @Nawid the same for me, i'm with IONOS

    0
    Comment actions Permalink
  • Avatar
    Bruno Vinci

    Not solved with this guide, still have this problem.

    0
    Comment actions Permalink
  • Avatar
    Ron Termeer

    We have the same problems on our server. Did all these "solutions" but it is stil not solved on our 70 sites of custormers.
    People are getting unsecure and keep calling us.
    Is this a plesk issue or is it an WordPress issue?

    1
    Comment actions Permalink

Please sign in to leave a comment.

Have more questions? Submit a request

Related articles