Scroll Top

WP Core Vulnerability JAN 2023: NO bug fix

By Csaba, Miklós WP Security WP SERVICES 9 January 2023

WP CORE VULNERABILITY JAN 2023

WP Core Vulnerability JAN 2023:

still no fix in latest version Version 6.1.1

For your WordPress protection, be informed about the LATEST WP Core Vulnerability JAN 2023. ALL WordPress versions are affected by an unauthenticated blind SSRF in the pingback feature. Because of a TOCTOU race condition between the validation checks and the HTTP request, attackers can reach internal hosts that are explicitly forbidden.

This vulnerability was reported to WordPress on January 21, 2022. Yeah, you read it correctly, a year ago! Yet it got "accepted publicly" and confirmed only October 10, 2022. CVE-2022-3590 proves that: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3590.

This issue was first reported about six years ago in January 2017 by another researcher and numerous others over the years. This was ignored throughout the years, as clean, stand-alone WP instance cannot be taken over without relying on other vulnerable services. Because of its low impact as-is, and the need to chain it to additional vulnerabilities in third-party software, everybody involved believes this issue won't endanger WordPress users and can only FORCE them to harden their instances.

Yet, these needed additional vulnerabilities in third-party software ARE PRESENT at the hosting infrastructure level. To be protected, hosting needs to either convince you to disable default settings inside your WordPress - either to do it without your consent. If these are not real-life options, then in reality remains for you to either learn about these vulnerabilities and learn how to protect your WordPress or choose tailored WP Security services, that are specifically for these "reappearing" cases.

Read more about this here: WordPress Core - Unauthenticated Blind SSRF.

Get Healthy, Stay Healthy: A healthier online business starts today and it begins with you!

WP Security
  • Unauthenticated Blind Server Side Request Forgery (SSRF) AFTER A YEAR still NOT FIXED in WordPress <= 6.1.1
    • WordPress is affected by an unauthenticated blind SSRF in the pingback feature. Because of a race condition between the validation checks and the HTTP request, attackers can reach internal hosts that are explicitly forbidden. This vulnerability was reported to WordPress on January 21; no fix is available yet.
    • Disable and block XMLRPC (pingback) feature!

Protect your WordPress: BEFORE IT'S TOO LATE! You will also protect your customers, your reputation and your online business!

WP Security

Related Posts

THEMES VULNERABILITY 2022
WP Themes vulnerability AUG 2022: 3 new risks
16 Aug 2022
WP SECURITY
WP Vulnerability JUL 2022 Centralised Abuse Highlights
15 Jul 2022
WP SECURITY PLUGIN VULNERABILITIES
WP Security CVE MAY 2024: 44 public plugin risks
29 May 2024
WP SECURITY
2 WordPress Security Core Vulnerabilities in March 2019

CORE WP Security bulletin – March 2019 At your next scheduled WordPress Maintenance, be informed for your WordPress Security about the NEW WP Core Vulnerabilities, identified and reported publicly. As these vulnerabilities are disclosed, when you keep your WP outdated – your risking serious security-related breaches. Do you have any…

10 Apr 2019
WP CORE VULNERABILITY 2022
WP Core Vulnerability JUN 2023: 6 patches
06 Jun 2023
WP CORE VULNERABILITY 2022
9 bug fixes in WP Core Vulnerability MAY 2022: Caution
12 May 2022
WPSETUP ATTACK
WPSetup Attack

A new kind of attack targets fresh WordPress installations. Attack starts with a scan after the “/wp-admin/setup-config.php” URL. This is the setup URL for any freshly installed WordPress. If the attackers find that URL and it contains a setup page, it indicates that someone has recently installed WordPress on the…

12 Jul 2017
WP SECURITY PLUGIN VULNERABILITIES
16 WP Security Plugin Vulnerabilities APR 2023
24 Apr 2023
COFFEE HOUSE
public WiFi dashboard access versus paranoid WordPress Security?

public WiFi dashboard access versus paranoid WordPress Security The world is a wonderful place, and we’re not going to say otherwise. It is not our style to exploit scare tactics. However, most of the time is highly advisable to have a dose of paranoia when it’s about your WP Security….

04 Jul 2019
WP SECURITY PLUGIN VULNERABILITIES
43 WP Security Plugin Vulnerabilities NOV 2022
04 Nov 2022
IN SOCIAL ENGINEERING
Social Engineering Conclusions and Recommendations

Social Engineering Conclusions As the threat landscape continues to evolve, new tools and approaches are emerging regularly. But one thing remains constant: the human factor. More than ever, cybercriminals rely on people to download and install malware or send funds and information on their behalf. And as the shelf lives…

14 Aug 2018
WP SECURITY PLUGIN VULNERABILITIES
WP Security CVE JUN 2024: 7 public plugin risks
26 Jun 2024
WORDPRESS SECURITY
44 Tips To Harden Your WP Security

WordPress security is often referred to as “reinforcement” or “hardening”. Makes sense. After all, the process is like adding reinforcements to your existing security, hardening the current capabilities. We created a few fun quizzes, to allow users to test their own WordPress Security skills. All these quizzes can be 100%…

06 Jun 2017
WP SECURITY
WP SECURITY JUN 2021 centralised abuse highlights
27 Jul 2021
VULNERABILITY
WordPress Plugin Vulnerabilities JAN 2022 – owl WPS Alarming Report
31 Jan 2022
owlpower.eu
owlpower.eu
owlpower.eu
16+ years of owlsome experience
We're on an empowering mission for website owners, who desire not to be transformed forcefully into IT experts.