CVE-2022-3590: WordPress <= 6.4.1 – Unauth. Blind SSRF vulnerability – Plesk

Situation

WordPress instances of versions <= 6.4.1 are vulnerable to CVE-2022-3590 when XML-RPC or pingbacks is enabled.

Impact

A WordPress website can be caused to execute requests to systems in internal network to reveal sensitive information of the server with blind Server Side Request Forgery (SSRF) via DNS Rebinding.

The probability of exploitation of this vulnerability is considered low.

Call to action

1. Update WP Toolkit extension in Plesk.
2. Mitigate the vulnerability with one of the following options:

   • The most secure option is to disable xmlrpc.php. This should be applied only when the WordPress instance does not rely on XML-RPC:

     Disable xmlrpc.php

     1. Log in to Plesk.

     2. Go to WordPress > example.com > Fix vulnerabilities > Security Measures.

     3. Select Block unauthorized access to xmlrpc.php and click Secure.

     4. Repeat the steps 2-3 for all other WordPress instances hosted on the server.

   • A less secure option is to disable Pingbacks. This is advised if WordPress depends on XML-RPC:

     Turn off WordPress pingbacks

     1. Log in to Plesk.

     2. Go to WordPress > example.com > Fix vulnerabilities > Security Measures.

     3. Select Turn off pingbacks and click Secure.

     4. Repeat the steps 2-3 for all other WordPress instances hosted on the server.