CVE-2022-3590
WP <= 6.1.1 - Unauthenticated Blind SSRF via DNS RebindingWordPress is affected by an unauthenticated blind SSRF in the pingback feature. Because of a TOCTOU race condition between the validation checks and the HTTP request, attackers can reach internal hosts that are explicitly forbidden.
We have discovered 2,095,918 live websites that are affected by CVE-2022-3590.
Affected Software
| Product |  WordPress |
| Category | Content Management System |
| Vulnerable Domains | 2,095,918 live websites (22.74% of WordPress install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 478 versions ( 51.34% of all versions) |
Common Weakness Enumeration
CWE-918 Server-Side Request Forgery (SSRF)Details
- Published - Dec 14, 2022
- Updated - Aug 3, 2024
Credits
- Thomas Chauchefoin (finder)
- WPScan (coordinator)
CWE
CVE References
CWE References
CVE-2022-3590 usage by Country
 United States | 550,305 websites |
 Germany | 235,930 websites |
 Japan | 219,370 websites |
 France | 129,685 websites |
 Russia | 100,252 websites |
 Poland | 73,800 websites |
 GB | 65,182 websites |
 Netherlands | 54,123 websites |
 Italy | 51,440 websites |
 Spain | 50,615 websites |
CVE-2022-3590 usage by TLD
| .com | 838,139 websites |
| .de | 120,135 websites |
| .ru | 87,326 websites |
| .org | 79,731 websites |
| .net | 66,256 websites |
| .pl | 59,087 websites |
| .nl | 49,209 websites |
| .jp | 47,634 websites |
| .fr | 45,617 websites |
| .co.uk | 45,282 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2022-3590
Top websites that are affected by CVE-2022-3590. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ************.org |  Singapore | *** | |
| *****************.com | United States | *** | |
| ****.br |  Brazil | *** | |
| ****.******.com | Singapore | *** | |
| *********.com | United States | *** | |
| *********.net | United States | *** | |
| **********.ca |  Canada | *,*** | |
| ************.***.ar |  Argentina | *,*** | |
| *********.com | Italy | *,*** | |
| ********.com | Singapore | *,*** |
FAQ
CVE-2022-3590 is Server-Side Request Forgery (SSRF) in WordPress
A total of 2,095,918 websites have been identified as vulnerable to CVE-2022-3590, discovered through global website indexing conducted by WebTechSurvey.
WordPress is susceptible to CVE-2022-3590 vulnerability.
WordPress versions before, and including, 6.1.1 are vulnerable to CVE-2022-3590.