CVE-2022-3590 :: Enginsight Vulnerability Database

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	5.9 MEDIUM	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
WPScan	CNA	---				---
CVE	ADP	---				---
CISA-ADP	ADP	5.9 MEDIUM	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 99%

Vendor	Product	Version
wordpress	wordpress	4.2 ≤ 𝑥 ≤ 6.1.1
wordpress	wordpress	4.1

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

wordpress

bullseye (security)	vulnerable
bullseye	no-dsa
bookworm	no-dsa
buster	postponed
bookworm (security)	vulnerable
sid	vulnerable
trixie	vulnerable

Ubuntu Releases

Ubuntu Product

Codename

wordpress

noble	needs-triage
mantic	ignored
lunar	ignored
kinetic	ignored
jammy	needs-triage
focal	needs-triage
bionic	needs-triage
xenial	needs-triage
trusty	ignored

Known Exploits!

Common Weakness Enumeration

CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
The software checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the software to perform invalid actions when the resource is in an unexpected state.

References

https://blog.sonarsource.com/wordpress-core-unauthenticated-blind-ssrf/

https://wpscan.com/vulnerability/c8814e6e-78b3-4f63-a1d3-6906a84c1f11

https://blog.sonarsource.com/wordpress-core-unauthenticated-blind-ssrf/

https://wpscan.com/vulnerability/c8814e6e-78b3-4f63-a1d3-6906a84c1f11