Launchpad.net

Launchpad Home
Code
Bugs
Blueprints
Translations
Answers

CVE 2016-2222

The wp_http_validate_url function in wp-includes/http.php in WordPress before 4.4.2 allows remote attackers to conduct server-side request forgery (SSRF) attacks via a zero value in the first octet of an IPv4 address in the u parameter to wp-admin/press-this.php.

See the

CVE page on Mitre.org for more details.

References

CONFIRM: https://codex.wordpres...
CONFIRM: https://core.trac.word...
CONFIRM: https://wordpress.org/...
MISC: https://hackerone.com/...
MISC: https://wpvulndb.com/v...
BID: 82454
SECTRACK: 1034933
DEBIAN: DSA-3472
MISC: https://news.ycombinat...

Launchpad.net

CVE 2016-2222

Related bugs

References