WordPress is affected by an unauthenticated blind SSRF in the pingback feature. Because of a TOCTOU race condition between the validation checks and the HTTP request, attackers can reach internal hosts that are explicitly forbidden.
[
{
"vendor": "WordPress",
"product": "WordPress",
"versions": [
{
"status": "affected",
"versionType": "custom",
"version": "4.1.30",
"lessThanOrEqual": "6.1.1"
}
],
"defaultStatus": "affected"
}
]