CVE-2019-17669
high-risk
Published 2019-10-17
WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulnerability because URL validation does not consider the interpretation of a name as a series of hex characters.
Do I need to act?
~
8.4% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
+
Fix available
Upgrade to: 9b84a21d66d7da3edec388f49234c1c41daed9ad, 608d39faed63ea212b6c6cdf9fe2bef92e2120ea
9
CVSS 9.8/10
Critical
NETWORK
/ LOW complexity
Affected Products (4)
References (18)
Third Party Advisory
https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-secu...
Vendor Advisory
https://core.trac.wordpress.org/changeset/46475
Mailing List
https://seclists.org/bugtraq/2020/Jan/8
Third Party Advisory
https://wpvulndb.com/vulnerabilities/9912
Third Party Advisory
https://www.debian.org/security/2020/dsa-4599
Third Party Advisory
https://www.debian.org/security/2020/dsa-4677
Third Party Advisory
https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-secu...
Vendor Advisory
https://core.trac.wordpress.org/changeset/46475
Mailing List
https://seclists.org/bugtraq/2020/Jan/8
Third Party Advisory
https://wpvulndb.com/vulnerabilities/9912
Third Party Advisory
https://www.debian.org/security/2020/dsa-4599
Third Party Advisory
https://www.debian.org/security/2020/dsa-4677
52
/ 100
high-risk
Severity
32/34 · Critical
Exploitability
10/34 · Low
Exposure
10/34 · Low