ID CVE-2013-0235
Summary The XMLRPC API in WordPress before 3.5.1 allows remote attackers to send HTTP requests to intranet servers, and conduct port-scanning attacks, by specifying a crafted source URL for a pingback, related to a Server-Side Request Forgery (SSRF) issue.
References
Vulnerable Configurations
  • WordPress 3.5.0
    cpe:2.3:a:wordpress:wordpress:3.5.0
  • WordPress 3.4.2
    cpe:2.3:a:wordpress:wordpress:3.4.2
  • WordPress 3.4.1
    cpe:2.3:a:wordpress:wordpress:3.4.1
  • WordPress 3.4.0
    cpe:2.3:a:wordpress:wordpress:3.4.0
  • WordPress 3.3
    cpe:2.3:a:wordpress:wordpress:3.3
  • WordPress 3.3.1
    cpe:2.3:a:wordpress:wordpress:3.3.1
  • WordPress 3.3.3
    cpe:2.3:a:wordpress:wordpress:3.3.3
  • WordPress 3.3.2
    cpe:2.3:a:wordpress:wordpress:3.3.2
  • WordPress 2.5.1
    cpe:2.3:a:wordpress:wordpress:2.5.1
  • WordPress 2.0.11
    cpe:2.3:a:wordpress:wordpress:2.0.11
  • WordPress 2.6.2
    cpe:2.3:a:wordpress:wordpress:2.6.2
  • WordPress 2.1.3
    cpe:2.3:a:wordpress:wordpress:2.1.3
  • WordPress 2.2.3
    cpe:2.3:a:wordpress:wordpress:2.2.3
  • WordPress 2.3
    cpe:2.3:a:wordpress:wordpress:2.3
  • WordPress 2.0.8
    cpe:2.3:a:wordpress:wordpress:2.0.8
  • WordPress 2.8
    cpe:2.3:a:wordpress:wordpress:2.8
  • WordPress 2.0.9
    cpe:2.3:a:wordpress:wordpress:2.0.9
  • WordPress 2.2
    cpe:2.3:a:wordpress:wordpress:2.2
  • WordPress 2.2.1
    cpe:2.3:a:wordpress:wordpress:2.2.1
  • WordPress 2.3.3
    cpe:2.3:a:wordpress:wordpress:2.3.3
  • WordPress 2.8.6
    cpe:2.3:a:wordpress:wordpress:2.8.6
  • WordPress 2.6.3
    cpe:2.3:a:wordpress:wordpress:2.6.3
  • WordPress 2.8.4
    cpe:2.3:a:wordpress:wordpress:2.8.4
  • WordPress 2.6.1
    cpe:2.3:a:wordpress:wordpress:2.6.1
  • WordPress 2.6
    cpe:2.3:a:wordpress:wordpress:2.6
  • WordPress 2.3.1
    cpe:2.3:a:wordpress:wordpress:2.3.1
  • WordPress 2.0
    cpe:2.3:a:wordpress:wordpress:2.0
  • WordPress 2.2.2
    cpe:2.3:a:wordpress:wordpress:2.2.2
  • WordPress 2.3.2
    cpe:2.3:a:wordpress:wordpress:2.3.2
  • WordPress 2.0.1
    cpe:2.3:a:wordpress:wordpress:2.0.1
  • WordPress 2.0.10
    cpe:2.3:a:wordpress:wordpress:2.0.10
  • WordPress 2.0.2
    cpe:2.3:a:wordpress:wordpress:2.0.2
  • WordPress 2.0.4
    cpe:2.3:a:wordpress:wordpress:2.0.4
  • WordPress 2.0.5
    cpe:2.3:a:wordpress:wordpress:2.0.5
  • WordPress 2.0.6
    cpe:2.3:a:wordpress:wordpress:2.0.6
  • WordPress 2.0.7
    cpe:2.3:a:wordpress:wordpress:2.0.7
  • WordPress 2.1
    cpe:2.3:a:wordpress:wordpress:2.1
  • WordPress 2.1.1
    cpe:2.3:a:wordpress:wordpress:2.1.1
  • WordPress 2.1.2
    cpe:2.3:a:wordpress:wordpress:2.1.2
  • WordPress 2.9.2
    cpe:2.3:a:wordpress:wordpress:2.9.2
  • WordPress 2.7
    cpe:2.3:a:wordpress:wordpress:2.7
  • WordPress 2.9
    cpe:2.3:a:wordpress:wordpress:2.9
  • WordPress 2.9.1
    cpe:2.3:a:wordpress:wordpress:2.9.1
  • WordPress 2.6.5
    cpe:2.3:a:wordpress:wordpress:2.6.5
  • WordPress 2.5
    cpe:2.3:a:wordpress:wordpress:2.5
  • WordPress 2.8.3
    cpe:2.3:a:wordpress:wordpress:2.8.3
  • WordPress 2.7.1
    cpe:2.3:a:wordpress:wordpress:2.7.1
  • WordPress 2.8.5
    cpe:2.3:a:wordpress:wordpress:2.8.5
  • WordPress 2.9.1.1
    cpe:2.3:a:wordpress:wordpress:2.9.1.1
  • WordPress 2.8.5.1
    cpe:2.3:a:wordpress:wordpress:2.8.5.1
  • WordPress 2.8.1
    cpe:2.3:a:wordpress:wordpress:2.8.1
  • WordPress 2.8.5.2
    cpe:2.3:a:wordpress:wordpress:2.8.5.2
  • WordPress 2.8.4:a
    cpe:2.3:a:wordpress:wordpress:2.8.4:a
  • WordPress 2.8.2
    cpe:2.3:a:wordpress:wordpress:2.8.2
  • WordPress 1.5.1.1
    cpe:2.3:a:wordpress:wordpress:1.5.1.1
  • WordPress 1.5.1.2
    cpe:2.3:a:wordpress:wordpress:1.5.1.2
  • WordPress 1.5.1.3
    cpe:2.3:a:wordpress:wordpress:1.5.1.3
  • WordPress 1.6.2
    cpe:2.3:a:wordpress:wordpress:1.6.2
  • WordPress 1.5.2
    cpe:2.3:a:wordpress:wordpress:1.5.2
  • WordPress 1.5
    cpe:2.3:a:wordpress:wordpress:1.5
  • WordPress 1.5.1
    cpe:2.3:a:wordpress:wordpress:1.5.1
  • WordPress 1.2.1
    cpe:2.3:a:wordpress:wordpress:1.2.1
  • WordPress 1.2.2
    cpe:2.3:a:wordpress:wordpress:1.2.2
  • WordPress 1.0.2
    cpe:2.3:a:wordpress:wordpress:1.0.2
  • WordPress 1.2
    cpe:2.3:a:wordpress:wordpress:1.2
  • WordPress 1.0
    cpe:2.3:a:wordpress:wordpress:1.0
  • WordPress 1.0.1
    cpe:2.3:a:wordpress:wordpress:1.0.1
  • WordPress 1.2.5
    cpe:2.3:a:wordpress:wordpress:1.2.5
  • WordPress 1.2.5:a
    cpe:2.3:a:wordpress:wordpress:1.2.5:a
  • WordPress 1.2.3
    cpe:2.3:a:wordpress:wordpress:1.2.3
  • WordPress 1.2.4
    cpe:2.3:a:wordpress:wordpress:1.2.4
  • WordPress 1.1.1
    cpe:2.3:a:wordpress:wordpress:1.1.1
  • WordPress 1.3.3
    cpe:2.3:a:wordpress:wordpress:1.3.3
  • WordPress 1.3
    cpe:2.3:a:wordpress:wordpress:1.3
  • WordPress 1.3.2
    cpe:2.3:a:wordpress:wordpress:1.3.2
  • WordPress 0.71
    cpe:2.3:a:wordpress:wordpress:0.71
CVSS
Base: 6.4 (as of 08-07-2013 - 21:00)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL NONE
metasploit via4
description This module will scan for wordpress sites with the Pingback API enabled. By interfacing with the API an attacker can cause the wordpress site to port scan an external target and return results. Refer to the wordpress_pingback_portscanner module. This issue was fixed in wordpress 3.5.1
id MSF:AUXILIARY/SCANNER/HTTP/WORDPRESS_PINGBACK_ACCESS
last seen 2019-03-15
modified 2018-07-12
published 2013-01-05
reliability Normal
reporter Rapid7
source https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/wordpress_pingback_access.rb
title Wordpress Pingback Locator
nessus via4
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_559E00B76A4D11E2B6B010BF48230856.NASL
    description Wordpress reports : WordPress 3.5.1 also addresses the following security issues : - A server-side request forgery vulnerability and remote port scanning using pingbacks. This vulnerability, which could potentially be used to expose information and compromise a site, affects all previous WordPress versions. This was fixed by the WordPress security team. We'd like to thank security researchers Gennady Kovshenin and Ryan Dewhurst for reviewing our work. - Two instances of cross-site scripting via shortcodes and post content. These issues were discovered by Jon Cave of the WordPress security team. - A cross-site scripting vulnerability in the external library Plupload. Thanks to the Moxiecode team for working with us on this, and for releasing Plupload 1.5.5 to address this issue.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 64288
    published 2013-01-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=64288
    title FreeBSD : wordpress -- multiple vulnerabilities (559e00b7-6a4d-11e2-b6b0-10bf48230856)
  • NASL family CGI abuses
    NASL id WORDPRESS_XMLRPC_PINGBACK_REQUEST_FORGERY.NASL
    description The WordPress install hosted on the remote web server is affected by a server-side request forgery vulnerability because the 'pingback.ping' method used in 'xmlrpc.php' fails to properly validate source URIs (Uniform Resource Identifiers). A remote, unauthenticated attacker can exploit this issue to disclose sensitive information and conduct remote port scanning against a remote host.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 64453
    published 2013-02-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=64453
    title WordPress 'xmlrpc.php' pingback.ping Server-Side Request Forgery
  • NASL family CGI abuses
    NASL id WORDPRESS_3_5_1.NASL
    description According to its version number, the WordPress install hosted on the remote web server is affected by multiple vulnerabilities : - The application is affected by a server-side request forgery vulnerability in the 'pingback.ping' method used in 'xmlrpc.php'. This vulnerability can be used to expose information and remotely port scan a host using pingbacks. (CVE-2013-0235) - The application is affected by two instances of cross-site scripting (XSS) attacks via shortcodes and post content. (CVE-2013-0236) - The application is affected by a cross-site scripting (XSS) vulnerability in the Plupload external library. (CVE-2013-0237) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 64452
    published 2013-02-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=64452
    title WordPress < 3.5.1 Multiple Vulnerabilities
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2013-1774.NASL
    description WordPress 3.5.1 is now available. Version 3.5.1 is the first maintenance release of 3.5, fixing 37 bugs. It is also a security release for all previous WordPress versions. Which include : - Editor: Prevent certain HTML elements from being unexpectedly removed or modified in rare cases. - Media: Fix a collection of minor workflow and compatibility issues in the new media manager. - Networks: Suggest proper rewrite rules when creating a new network. - Prevent scheduled posts from being stripped of certain HTML, such as video embeds, when they are published. - Work around some misconfigurations that may have caused some JavaScript in the WordPress admin area to fail. - Suppress some warnings that could occur when a plugin misused the database or user APIs. WordPress 3.5.1 also addresses the following security issues : - A server-side request forgery vulnerability and remote port scanning using pingbacks. This vulnerability, which could potentially be used to expose information and compromise a site, affects all previous WordPress versions. This was fixed by the WordPress security team. We'd like to thank security researchers Gennady Kovshenin and Ryan Dewhurst for reviewing our work. - Two instances of cross-site scripting via shortcodes and post content. These issues were discovered by Jon Cave of the WordPress security team. - A cross-site scripting vulnerability in the external library Plupload. Thanks to the Moxiecode team for working with us on this, and for releasing Plupload 1.5.5 to address this issue. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 64544
    published 2013-02-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=64544
    title Fedora 18 : wordpress-3.5.1-1.fc18 (2013-1774)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2013-1692.NASL
    description WordPress 3.5.1 is now available. Version 3.5.1 is the first maintenance release of 3.5, fixing 37 bugs. It is also a security release for all previous WordPress versions. Which include : - Editor: Prevent certain HTML elements from being unexpectedly removed or modified in rare cases. - Media: Fix a collection of minor workflow and compatibility issues in the new media manager. - Networks: Suggest proper rewrite rules when creating a new network. - Prevent scheduled posts from being stripped of certain HTML, such as video embeds, when they are published. - Work around some misconfigurations that may have caused some JavaScript in the WordPress admin area to fail. - Suppress some warnings that could occur when a plugin misused the database or user APIs. WordPress 3.5.1 also addresses the following security issues : - A server-side request forgery vulnerability and remote port scanning using pingbacks. This vulnerability, which could potentially be used to expose information and compromise a site, affects all previous WordPress versions. This was fixed by the WordPress security team. We'd like to thank security researchers Gennady Kovshenin and Ryan Dewhurst for reviewing our work. - Two instances of cross-site scripting via shortcodes and post content. These issues were discovered by Jon Cave of the WordPress security team. - A cross-site scripting vulnerability in the external library Plupload. Thanks to the Moxiecode team for working with us on this, and for releasing Plupload 1.5.5 to address this issue. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 64539
    published 2013-02-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=64539
    title Fedora 17 : wordpress-3.5.1-1.fc17 (2013-1692)
refmap via4
confirm
misc http://www.acunetix.com/blog/web-security-zone/wordpress-pingback-vulnerability/
the hacker news via4
Last major update 08-07-2013 - 00:00
Published 08-07-2013 - 16:55
Back to Top