SB2016052204 - Input validation error in WordPress
Published: May 22, 2016 Updated: August 9, 2020
Security Bulletin ID
SB2016052204
Severity
High
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Input validation error (CVE-ID: CVE-2016-2222)
The vulnerability allows a remote non-authenticated attacker to manipulate data.
The wp_http_validate_url function in wp-includes/http.php in WordPress before 4.4.2 allows remote attackers to conduct server-side request forgery (SSRF) attacks via a zero value in the first octet of an IPv4 address in the u parameter to wp-admin/press-this.php. <a href="https://cwe.mitre.org/data/definitions/918.html">CWE-918: Server-Side Request Forgery (SSRF)</a>
Remediation
Install update from vendor's website.
References
- http://www.debian.org/security/2016/dsa-3472
- http://www.securityfocus.com/bid/82454
- http://www.securitytracker.com/id/1034933
- https://codex.wordpress.org/Version_4.4.2
- https://core.trac.wordpress.org/changeset/36435
- https://hackerone.com/reports/110801
- https://news.ycombinator.com/item?id=20433070
- https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/
- https://wpvulndb.com/vulnerabilities/8376