Researchers have publicised a six-year-old blind SSRF vulnerability in a WordPress Pingback Core feature that could enable DDoS attacks.
Pingback which is enabled by default, requests allow WordPress authors to be notified when another website links to their blog. This feature must be turned off manually
The pingback functionality is exposed on the XMLRPC API, which can be accessed through the xmlrpc.php file. By which the pingbacks are explicitly shown This feature could enable attackers to perform DDoS attacks by maliciously asking thousands of blogs to check for pingbacks on a single victim server,
The bug could ease the exploitation of other vulnerabilities in the affected organization’s internal network.
The WordPress maintainers introduced restrictions on the destination of such requests: they would be limited to a restricted set of ports, only public IP addresses, etc. Attackers could use it to send requests to hosts that wouldn’t have been reachable otherwise, for instance, to exploit a vulnerability in internal services.
Researchers disclosed the issue to WordPress on January 21. It was acknowledged as a duplicate bug, according to Sonar, which was reported to the WordPress team in January 2017 and marked as low impact, since to exploit, two or more vulnerabilities need to be chained.
- Website owners always use the DNS servers provided by their hosting provider.
- Users can turn off pingbacks. The XMLRPC endpoint will only make the HTTP requests if pingbacks are open for the post being pinged.
This research was documented by researchers from Sonar.