Attack Vectors

WordPress (slug: wordpress) versions up to and including 6.9.1 are affected by a Medium-severity vulnerability (CVSS 5.8, vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N) that can be exploited without authentication.

The attack is performed remotely over the internet by sending crafted requests that trigger XML-RPC pingback discovery. This can cause your WordPress server to make outbound web requests to attacker-chosen destinations, including internal-only locations that are not exposed to the public internet.

Security Weakness

This issue is a Blind Server-Side Request Forgery (SSRF) in WordPress core. “Blind” means the attacker may not directly see the response content, but can still use timing and behavioral clues to confirm what the server can reach and, in some cases, influence internal systems.

According to the published advisory, the root cause is that the WP_HTTP_IXR_Client class uses wp_remote_post() instead of the safer wp_safe_remote_post() when making outgoing XML-RPC pingback requests. That difference can make it easier to reach arbitrary internal addresses from the WordPress server, which may enable querying or modifying information on internal services.

Remediation: Update WordPress to 6.9.2 (or newer) or 6.8.4 (or newer patched version) to address this vulnerability.

Technical or Business Impacts

From a business-risk perspective, SSRF can turn your public website into a “bridge” into systems that were never meant to be reachable from the internet (for example, internal admin panels, internal APIs, or cloud service endpoints). Even when the attacker cannot directly read responses (blind SSRF), the ability to make the server initiate connections can still enable meaningful reconnaissance and follow-on abuse.

Potential impacts include increased exposure of internal services, unintended changes to internal applications (depending on what services are reachable), and compliance concerns if internal systems supporting customer data, marketing analytics, finance operations, or HR tooling can be probed through the WordPress server. While the listed CVSS indicates no direct confidentiality impact in the base score, the practical business impact can escalate if internal services trust requests originating from the WordPress host.

Operationally, a Medium-severity issue in a high-visibility platform like WordPress can still create material risk: it may be used as an entry point for broader compromise attempts, and it can trigger incident response costs, reputational damage, and downtime if the website must be taken offline for emergency remediation.

Similar Attacks

SSRF has been used in real-world incidents and high-profile vulnerabilities, including:

Capital One cyber incident (widely reported SSRF-related breach)
CVE-2021-21985 (VMware vCenter Server SSRF)