CVE-2016-4029

Published: Aug 7, 2016Modified: May 6, 2026

8.6

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

Exploitability: 3.9 / Impact: 4.0

Source: NVD

Description

WordPress before 4.5 does not consider octal and hexadecimal IP address formats when determining an intranet address, which allows remote attackers to bypass an intended SSRF protection mechanism via a crafted address.

Affected (2)

Products: Wordpress: Wordpress · Debian: Debian Linux

1 product

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Wordpress Wordpress	Before 4.5

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 8.0

Related CWEs

CWE-918

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

References (10)

http://codex.wordpress.org/Version_4.5

Source: cve@mitre.org

Release Notes

http://www.debian.org/security/2016/dsa-3681

Source: cve@mitre.org

Mailing List

http://www.securitytracker.com/id/1036594

Source: cve@mitre.org

Broken LinkThird Party AdvisoryVDB Entry

https://core.trac.wordpress.org/query?status=closed&milestone=4.5

Source: cve@mitre.org

Patch

https://wpvulndb.com/vulnerabilities/8473

Source: cve@mitre.org

Broken Link

http://codex.wordpress.org/Version_4.5