CVE-2013-0235

The XMLRPC API in WordPress before 3.5.1 allows remote attackers to send HTTP requests to intranet servers, and conduct port-scanning attacks, by specifying a crafted source URL for a pingback, related to a Server-Side Request Forgery (SSRF) issue.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.4 UNKNOWN
NETWORK
LOW
AV:N/AC:L/Au:N/C:P/I:P/A:N
redhatCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 98%
VendorProductVersion
wordpresswordpress
𝑥
≤ 3.5.0
wordpresswordpress
0.71
wordpresswordpress
1.0
wordpresswordpress
1.0.1
wordpresswordpress
1.0.2
wordpresswordpress
1.1.1
wordpresswordpress
1.2
wordpresswordpress
1.2.1
wordpresswordpress
1.2.2
wordpresswordpress
1.2.3
wordpresswordpress
1.2.4
wordpresswordpress
1.2.5
wordpresswordpress
1.2.5:a
wordpresswordpress
1.3
wordpresswordpress
1.3.2
wordpresswordpress
1.3.3
wordpresswordpress
1.5
wordpresswordpress
1.5.1
wordpresswordpress
1.5.1.1
wordpresswordpress
1.5.1.2
wordpresswordpress
1.5.1.3
wordpresswordpress
1.5.2
wordpresswordpress
1.6.2
wordpresswordpress
2.0
wordpresswordpress
2.0.1
wordpresswordpress
2.0.2
wordpresswordpress
2.0.4
wordpresswordpress
2.0.5
wordpresswordpress
2.0.6
wordpresswordpress
2.0.7
wordpresswordpress
2.0.8
wordpresswordpress
2.0.9
wordpresswordpress
2.0.10
wordpresswordpress
2.0.11
wordpresswordpress
2.1
wordpresswordpress
2.1.1
wordpresswordpress
2.1.2
wordpresswordpress
2.1.3
wordpresswordpress
2.2
wordpresswordpress
2.2.1
wordpresswordpress
2.2.2
wordpresswordpress
2.2.3
wordpresswordpress
2.3
wordpresswordpress
2.3.1
wordpresswordpress
2.3.2
wordpresswordpress
2.3.3
wordpresswordpress
2.5
wordpresswordpress
2.5.1
wordpresswordpress
2.6
wordpresswordpress
2.6.1
wordpresswordpress
2.6.2
wordpresswordpress
2.6.3
wordpresswordpress
2.6.5
wordpresswordpress
2.7
wordpresswordpress
2.7.1
wordpresswordpress
2.8
wordpresswordpress
2.8.1
wordpresswordpress
2.8.2
wordpresswordpress
2.8.3
wordpresswordpress
2.8.4
wordpresswordpress
2.8.4:a
wordpresswordpress
2.8.5
wordpresswordpress
2.8.5.1
wordpresswordpress
2.8.5.2
wordpresswordpress
2.8.6
wordpresswordpress
2.9
wordpresswordpress
2.9.1
wordpresswordpress
2.9.1.1
wordpresswordpress
2.9.2
wordpresswordpress
3.3
wordpresswordpress
3.3.1
wordpresswordpress
3.3.2
wordpresswordpress
3.3.3
wordpresswordpress
3.4.0
wordpresswordpress
3.4.1
wordpresswordpress
3.4.2
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
wordpress
bullseye (security)
5.7.11+dfsg1-0+deb11u1
fixed
bullseye
5.7.11+dfsg1-0+deb11u1
fixed
bookworm
6.1.6+dfsg1-0+deb12u1
fixed
bookworm (security)
6.1.6+dfsg1-0+deb12u1
fixed
sid
6.6.1+dfsg1-1
fixed
trixie
6.6.1+dfsg1-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
wordpress
zesty
not-affected
yakkety
not-affected
xenial
not-affected
wily
not-affected
vivid
not-affected
utopic
not-affected
trusty
dne
saucy
not-affected
raring
not-affected
quantal
ignored
precise
ignored
oneiric
ignored
lucid
ignored
hardy
ignored
References
http://codex.wordpress.org/Version_3.5.1
http://core.trac.wordpress.org/changeset/23330
http://wordpress.org/news/2013/01/wordpress-3-5-1/
http://www.acunetix.com/blog/web-security-zone/wordpress-pingback-vulnerability/
https://bugzilla.redhat.com/show_bug.cgi?id=904120
http://codex.wordpress.org/Version_3.5.1
http://core.trac.wordpress.org/changeset/23330
http://wordpress.org/news/2013/01/wordpress-3-5-1/
http://www.acunetix.com/blog/web-security-zone/wordpress-pingback-vulnerability/
https://bugzilla.redhat.com/show_bug.cgi?id=904120