Researchers discovered a severe blind SSRF vulnerability in WordPress that could allow DDoS attacks. Notably, the vulnerability existed in the WordPress platform for at least six years.
WordPress Blind SSRF Vulnerability
According to a recent post from Sonar, a serious blind server-side request forgery (SSRF) vulnerability affected the pingback implementation in WordPress. Exploiting the vulnerability allows an adversary to take down a target website via DDoS attacks.
Explaining the vulnerability of the Pingback feature, the researchers stated that its continuous exposure to attackers remains a significant attack vector to bring down websites. Describing further, the researchers mentioned in their post,
The pingback functionality is exposed on the XML-RPC API of WordPress. As a reminder, this is an API endpoint expecting XML documents in which the client can choose a function to invoke along with arguments.
An adversary can access the pingback functionality via the xmlrpc.php file, triggering the other blogs to announce pingbacks. Consequently, exploiting such pingbacks from multiple blogs enables the attacker to perform distributed denial of service (DDoS) attacks.
The technical details about the issue are available in Sonar’s post.
No Patch Available Yet
The vulnerability first caught a researcher’s attention back in 2017, followed by many others in the following years. However, unfortunately, the flaw never received an official patch.
Even now, team Sonar has confirmed that the vulnerability remains unpatched until disclosure (and until the time of writing this story). While that’s risky to disclose such bugs, the researchers clarified that they had to disclose the vulnerability publicly given the years-old existence of the issue. Nonetheless, they confirmed the vulnerability as a “low impact” one, requiring chaining other vulnerabilities. Hence, disclosing it won’t endanger WordPress security.
While although no fix is yet available for the flaw, the researchers have proposed the following workaround for WordPress site admins.
As a temporary workaround, we recommend system administrators remove the handler
pingback.pingof the XMLRPC endpoint.
Researchers recommend blocking access to xmlrpc.php at the web server level.
Users can implement these workarounds to protect their sites until an official patch arrives.
Let us know your thoughts in the comments.