Published: 08/07/2013 Updated: 08/07/2013

CVSS v2 Base Score: 6.4 | Impact Score: 4.9 | Exploitability Score: 10

VMScore: 680

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N

The XMLRPC API in WordPress prior to 3.5.1 allows remote malicious users to send HTTP requests to intranet servers, and conduct port-scanning attacks, by specifying a crafted source URL for a pingback, related to a Server-Side Request Forgery (SSRF) issue.

Vulnerable Product	Search on Vulmon	Subscribe to Product
wordpress wordpress 2.6.2
wordpress wordpress 2.1.3
wordpress wordpress 2.2.3
wordpress wordpress 2.3
wordpress wordpress 2.2.2
wordpress wordpress 2.3.2
wordpress wordpress 2.0.1
wordpress wordpress 2.0.10
wordpress wordpress 2.6.5
wordpress wordpress 2.5
wordpress wordpress 2.8.3
wordpress wordpress 2.7.1
wordpress wordpress 2.8.5
wordpress wordpress 1.5.1
wordpress wordpress 1.2.1
wordpress wordpress 1.2.2
wordpress wordpress 1.0.2
wordpress wordpress
wordpress wordpress 3.3.2
wordpress wordpress 2.0.11
wordpress wordpress 2.0.8
wordpress wordpress 2.0.9
wordpress wordpress 2.6.1
wordpress wordpress 2.3.1
wordpress wordpress 2.0.4
wordpress wordpress 2.0.6
wordpress wordpress 2.9.2
wordpress wordpress 2.9
wordpress wordpress 2.9.1.1
wordpress wordpress 2.8.1
wordpress wordpress 1.6.2
wordpress wordpress 1.5
wordpress wordpress 1.2
wordpress wordpress 1.0.1
wordpress wordpress 1.3
wordpress wordpress 0.71
wordpress wordpress 3.4.1
wordpress wordpress 3.4.0
wordpress wordpress 3.3
wordpress wordpress 3.3.1
wordpress wordpress 2.2.1
wordpress wordpress 2.3.3
wordpress wordpress 2.8.6
wordpress wordpress 2.6.3
wordpress wordpress 2.8.4
wordpress wordpress 2.0.7
wordpress wordpress 2.1
wordpress wordpress 2.1.1
wordpress wordpress 2.1.2
wordpress wordpress 2.8.2
wordpress wordpress 1.5.1.1
wordpress wordpress 1.5.1.2
wordpress wordpress 1.2.5
wordpress wordpress 1.2.3
wordpress wordpress 1.2.4
wordpress wordpress 1.1.1
wordpress wordpress 1.3.3
wordpress wordpress 3.4.2
wordpress wordpress 3.3.3
wordpress wordpress 2.5.1
wordpress wordpress 2.8
wordpress wordpress 2.2
wordpress wordpress 2.6
wordpress wordpress 2.0
wordpress wordpress 2.0.2
wordpress wordpress 2.0.5
wordpress wordpress 2.7
wordpress wordpress 2.9.1
wordpress wordpress 2.8.5.1
wordpress wordpress 2.8.5.2
wordpress wordpress 1.5.1.3
wordpress wordpress 1.5.2
wordpress wordpress 1.0
wordpress wordpress 1.3.2

Debian Bug report logs - #698916 wordpress: CVE-2013-0235: pingback port scanning issue fixed in 351 Package: wordpress; Maintainer for wordpress is Craig Small <csmall@debianorg>; Source for wordpress is src:wordpress (PTS, buildd, popcon) Reported by: Henri Salo <henri@nervfi> Date: Fri, 25 Jan 2013 09:30:02 UT ...

Several vulnerabilities were identified in WordPress, a web blogging tool As the CVEs were allocated from releases announcements and specific fixes are usually not identified, it has been decided to upgrade the wordpress package to the latest upstream version instead of backporting the patches This means extra care should be taken when upgrading, ...

NVD-CWE-Other http://www.acunetix.com/blog/web-security-zone/wordpress-pingback-vulnerability/https://bugzilla.redhat.com/show_bug.cgi?id=904120 http://core.trac.wordpress.org/changeset/23330 http://wordpress.org/news/2013/01/wordpress-3-5-1/http://codex.wordpress.org/Version_3.5.1 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=698916 https://www.debian.org/security/./dsa-2718 https://nvd.nist.gov

CVE-2013-0235

Vulnerability Summary

Vendor Advisories

References

Vulmon Search

About

Products

Connect