CVE-2022-3590: 
NixOS vulnerability analysis and mitigation

WordPress is affected by an unauthenticated blind Server-Side Request Forgery (SSRF) vulnerability (CVE-2022-3590) in its pingback feature. The vulnerability was discovered in January 2021 and affects all known WordPress versions up to 6.2. The issue stems from a Time-of-Check-Time-of-Use (TOCTOU) race condition between validation checks and HTTP request execution, allowing attackers to reach internal hosts that are explicitly forbidden (Sonar Blog, WPScan).

The vulnerability exists in WordPress's implementation of pingbacks, specifically in the XML-RPC API endpoint. The issue occurs due to a race condition between the URL validation in wphttpvalidate_url() function and the actual HTTP request execution. While the initial validation checks for forbidden IP ranges and validates the URL, the HTTP client needs to re-parse and re-resolve the hostname before sending the request. During this time window, an attacker could change the domain to point to a different address than the one initially validated. The vulnerability has been assigned a CVSS score of 4.0 (Medium) (Wordfence, Sonar Blog).

The vulnerability's impact is considered low for most users, as attackers would need to chain this behavior with additional vulnerabilities in third-party software to significantly impact the targeted organization's security. It could potentially be used to ease the exploitation of other vulnerabilities in the affected organization's internal network, such as recent Confluence OGNL injections or Jenkins remote code execution vulnerabilities (Sonar Blog).

As a temporary workaround, system administrators can remove the handler pingback.ping of the XMLRPC endpoint by updating functions.php of the theme in use. Alternatively, access to xmlrpc.php can be blocked at the web server level. The recommended code modification is to add: addfilter('xmlrpcmethods', function($methods) { unset($methods['pingback.ping']); return $methods; }) (Sonar Blog).