WordPress <= 5.2.3 – Server-Side Request Forgery (SSRF) in URL Validation | CVE 2019-17669

Affects WordPress

3.8.1

Fixed in WordPress 3.8.31

3.8

Fixed in WordPress 3.8.31

3.7.1

Fixed in WordPress 3.7.31

3.9

Fixed in WordPress 3.9.29

3.9.1

Fixed in WordPress 3.9.29

3.7

Fixed in WordPress 3.7.31

3.8.2

Fixed in WordPress 3.8.31

3.8.3

Fixed in WordPress 3.8.31

3.9.2

Fixed in WordPress 3.9.29

4.0

Fixed in WordPress 4.0.28

4.1

Fixed in WordPress 4.1.28

4.1.1

Fixed in WordPress 4.1.28

4.2

Fixed in WordPress 4.2.25

3.9.3

Fixed in WordPress 3.9.29

4.1.2

Fixed in WordPress 4.1.28

4.2.1

Fixed in WordPress 4.2.25

4.0.1

Fixed in WordPress 4.0.28

4.1.5

Fixed in WordPress 4.1.28

4.1.4

Fixed in WordPress 4.1.28

4.1.3

Fixed in WordPress 4.1.28

3.8.4

Fixed in WordPress 3.8.31

3.7.4

Fixed in WordPress 3.7.31

4.2.3

Fixed in WordPress 4.2.25

3.8.8

Fixed in WordPress 3.8.31

3.8.5

Fixed in WordPress 3.8.31

3.8.6

Fixed in WordPress 3.8.31

3.8.7

Fixed in WordPress 3.8.31

3.7.2

Fixed in WordPress 3.7.31

3.7.3

Fixed in WordPress 3.7.31

3.7.5

Fixed in WordPress 3.7.31

3.7.6

Fixed in WordPress 3.7.31

3.7.7

Fixed in WordPress 3.7.31

3.7.8

Fixed in WordPress 3.7.31

3.7.9

Fixed in WordPress 3.7.31

3.8.9

Fixed in WordPress 3.8.31

3.9.4

Fixed in WordPress 3.9.29

3.9.5

Fixed in WordPress 3.9.29

3.9.6

Fixed in WordPress 3.9.29

3.9.7

Fixed in WordPress 3.9.29

4.0.2

Fixed in WordPress 4.0.28

4.0.3

Fixed in WordPress 4.0.28

4.0.4

Fixed in WordPress 4.0.28

4.0.5

Fixed in WordPress 4.0.28

4.0.6

Fixed in WordPress 4.0.28

4.1.6

Fixed in WordPress 4.1.28

4.2.2

Fixed in WordPress 4.2.25

4.2.4

Fixed in WordPress 4.2.25

4.1.7

Fixed in WordPress 4.1.28

4.0.7

Fixed in WordPress 4.0.28

3.9.8

Fixed in WordPress 3.9.29

3.8.10

Fixed in WordPress 3.8.31

3.7.10

Fixed in WordPress 3.7.31

4.3

Fixed in WordPress 4.3.21

4.3.1

Fixed in WordPress 4.3.21

4.2.5

Fixed in WordPress 4.2.25

4.1.8

Fixed in WordPress 4.1.28

4.0.8

Fixed in WordPress 4.0.28

3.9.9

Fixed in WordPress 3.9.29

3.8.11

Fixed in WordPress 3.8.31

3.7.11

Fixed in WordPress 3.7.31

4.4

Fixed in WordPress 4.4.20

3.7.12

Fixed in WordPress 3.7.31

3.8.12

Fixed in WordPress 3.8.31

3.9.10

Fixed in WordPress 3.9.29

4.0.9

Fixed in WordPress 4.0.28

4.1.9

Fixed in WordPress 4.1.28

4.2.6

Fixed in WordPress 4.2.25

4.3.2

Fixed in WordPress 4.3.21

4.4.1

Fixed in WordPress 4.4.20

4.4.2

Fixed in WordPress 4.4.20

4.3.3

Fixed in WordPress 4.3.21

4.2.7

Fixed in WordPress 4.2.25

4.1.10

Fixed in WordPress 4.1.28

4.0.10

Fixed in WordPress 4.0.28

3.9.11

Fixed in WordPress 3.9.29

3.8.13

Fixed in WordPress 3.8.31

3.7.13

Fixed in WordPress 3.7.31

4.5

Fixed in WordPress 4.5.19

4.5.1

Fixed in WordPress 4.5.19

3.7.14

Fixed in WordPress 3.7.31

3.8.14

Fixed in WordPress 3.8.31

3.9.12

Fixed in WordPress 3.9.29

4.0.11

Fixed in WordPress 4.0.28

4.1.11

Fixed in WordPress 4.1.28

4.2.8

Fixed in WordPress 4.2.25

4.3.4

Fixed in WordPress 4.3.21

4.4.3

Fixed in WordPress 4.4.20

4.5.2

Fixed in WordPress 4.5.19

4.5.3

Fixed in WordPress 4.5.19

3.7.15

Fixed in WordPress 3.7.31

3.8.15

Fixed in WordPress 3.8.31

3.9.13

Fixed in WordPress 3.9.29

4.0.12

Fixed in WordPress 4.0.28

4.1.12

Fixed in WordPress 4.1.28

4.2.9

Fixed in WordPress 4.2.25

4.3.5

Fixed in WordPress 4.3.21

4.4.4

Fixed in WordPress 4.4.20

4.6

Fixed in WordPress 4.6.16

3.7.16

Fixed in WordPress 3.7.31

3.8.16

Fixed in WordPress 3.8.31

3.9.14

Fixed in WordPress 3.9.29

4.0.13

Fixed in WordPress 4.0.28

4.1.13

Fixed in WordPress 4.1.28

4.2.10

Fixed in WordPress 4.2.25

4.3.6

Fixed in WordPress 4.3.21

4.4.5

Fixed in WordPress 4.4.20

4.5.4

Fixed in WordPress 4.5.19

4.6.1

Fixed in WordPress 4.6.16

4.7

Fixed in WordPress 4.7.15

3.7.17

Fixed in WordPress 3.7.31

3.8.17

Fixed in WordPress 3.8.31

3.9.15

Fixed in WordPress 3.9.29

4.0.14

Fixed in WordPress 4.0.28

4.1.14

Fixed in WordPress 4.1.28

4.2.11

Fixed in WordPress 4.2.25

4.3.7

Fixed in WordPress 4.3.21

4.4.6

Fixed in WordPress 4.4.20

4.5.5

Fixed in WordPress 4.5.19

4.7.1

Fixed in WordPress 4.7.15

4.6.2

Fixed in WordPress 4.6.16

3.7.18

Fixed in WordPress 3.7.31

3.8.18

Fixed in WordPress 3.8.31

3.9.16

Fixed in WordPress 3.9.29

4.0.15

Fixed in WordPress 4.0.28

4.1.15

Fixed in WordPress 4.1.28

4.2.12

Fixed in WordPress 4.2.25

4.3.8

Fixed in WordPress 4.3.21

4.4.7

Fixed in WordPress 4.4.20

4.5.6

Fixed in WordPress 4.5.19

4.6.3

Fixed in WordPress 4.6.16

4.7.2

Fixed in WordPress 4.7.15

3.7.19

Fixed in WordPress 3.7.31

3.8.19

Fixed in WordPress 3.8.31

3.9.17

Fixed in WordPress 3.9.29

4.0.16

Fixed in WordPress 4.0.28

4.1.16

Fixed in WordPress 4.1.28

4.2.13

Fixed in WordPress 4.2.25

4.3.9

Fixed in WordPress 4.3.21

4.4.8

Fixed in WordPress 4.4.20

4.5.7

Fixed in WordPress 4.5.19

4.6.4

Fixed in WordPress 4.6.16

4.7.3

Fixed in WordPress 4.7.15

3.7.20

Fixed in WordPress 3.7.31

3.8.20

Fixed in WordPress 3.8.31

3.9.18

Fixed in WordPress 3.9.29

4.0.17

Fixed in WordPress 4.0.28

4.1.17

Fixed in WordPress 4.1.28

4.2.14

Fixed in WordPress 4.2.25

4.3.10

Fixed in WordPress 4.3.21

4.4.9

Fixed in WordPress 4.4.20

4.5.8

Fixed in WordPress 4.5.19

4.6.5

Fixed in WordPress 4.6.16

4.7.4

Fixed in WordPress 4.7.15

4.7.5

Fixed in WordPress 4.7.15

3.7.21

Fixed in WordPress 3.7.31

3.8.21

Fixed in WordPress 3.8.31

3.9.19

Fixed in WordPress 3.9.29

4.0.18

Fixed in WordPress 4.0.28

4.1.18

Fixed in WordPress 4.1.28

4.2.15

Fixed in WordPress 4.2.25

4.3.11

Fixed in WordPress 4.3.21

4.4.10

Fixed in WordPress 4.4.20

4.5.9

Fixed in WordPress 4.5.19

4.6.6

Fixed in WordPress 4.6.16

4.8

Fixed in WordPress 4.8.11

4.8.1

Fixed in WordPress 4.8.11

3.7.22

Fixed in WordPress 3.7.31

3.8.22

Fixed in WordPress 3.8.31

3.9.20

Fixed in WordPress 3.9.29

4.0.19

Fixed in WordPress 4.0.28

4.1.19

Fixed in WordPress 4.1.28

4.2.16

Fixed in WordPress 4.2.25

4.3.12

Fixed in WordPress 4.3.21

4.4.11

Fixed in WordPress 4.4.20

4.5.10

Fixed in WordPress 4.5.19

4.6.7

Fixed in WordPress 4.6.16

4.7.6

Fixed in WordPress 4.7.15

4.8.2

Fixed in WordPress 4.8.11

4.8.3

Fixed in WordPress 4.8.11

3.7.23

Fixed in WordPress 3.7.31

3.8.23

Fixed in WordPress 3.8.31

3.9.21

Fixed in WordPress 3.9.29

4.0.20

Fixed in WordPress 4.0.28

4.1.20

Fixed in WordPress 4.1.28

4.2.17

Fixed in WordPress 4.2.25

4.3.13

Fixed in WordPress 4.3.21

4.4.12

Fixed in WordPress 4.4.20

4.5.11

Fixed in WordPress 4.5.19

4.6.8

Fixed in WordPress 4.6.16

4.7.7

Fixed in WordPress 4.7.15

4.9

Fixed in WordPress 4.9.12

4.9.1

Fixed in WordPress 4.9.12

4.8.4

Fixed in WordPress 4.8.11

4.7.8

Fixed in WordPress 4.7.15

4.6.9

Fixed in WordPress 4.6.16

4.5.12

Fixed in WordPress 4.5.19

4.4.13

Fixed in WordPress 4.4.20

4.3.14

Fixed in WordPress 4.3.21

4.2.18

Fixed in WordPress 4.2.25

4.1.21

Fixed in WordPress 4.1.28

4.0.21

Fixed in WordPress 4.0.28

3.9.22

Fixed in WordPress 3.9.29

3.8.24

Fixed in WordPress 3.8.31

3.7.24

Fixed in WordPress 3.7.31

4.9.2

Fixed in WordPress 4.9.12

4.8.5

Fixed in WordPress 4.8.11

4.7.9

Fixed in WordPress 4.7.15

4.6.10

Fixed in WordPress 4.6.16

4.5.13

Fixed in WordPress 4.5.19

4.4.14

Fixed in WordPress 4.4.20

4.3.15

Fixed in WordPress 4.3.21

4.2.19

Fixed in WordPress 4.2.25

4.1.22

Fixed in WordPress 4.1.28

4.0.22

Fixed in WordPress 4.0.28

3.9.23

Fixed in WordPress 3.9.29

3.8.25

Fixed in WordPress 3.8.31

3.7.25

Fixed in WordPress 3.7.31

4.9.3

Fixed in WordPress 4.9.12

4.9.4

Fixed in WordPress 4.9.12

3.7.26

Fixed in WordPress 3.7.31

3.8.26

Fixed in WordPress 3.8.31

3.9.24

Fixed in WordPress 3.9.29

4.0.23

Fixed in WordPress 4.0.28

4.1.23

Fixed in WordPress 4.1.28

4.2.20

Fixed in WordPress 4.2.25

4.3.16

Fixed in WordPress 4.3.21

4.4.15

Fixed in WordPress 4.4.20

4.5.14

Fixed in WordPress 4.5.19

4.6.11

Fixed in WordPress 4.6.16

4.7.10

Fixed in WordPress 4.7.15

4.8.6

Fixed in WordPress 4.8.11

4.9.5

Fixed in WordPress 4.9.12

4.9.6

Fixed in WordPress 4.9.12

3.7.27

Fixed in WordPress 3.7.31

3.8.27

Fixed in WordPress 3.8.31

3.9.25

Fixed in WordPress 3.9.29

4.0.24

Fixed in WordPress 4.0.28

4.1.24

Fixed in WordPress 4.1.28

4.2.21

Fixed in WordPress 4.2.25

4.3.17

Fixed in WordPress 4.3.21

4.4.16

Fixed in WordPress 4.4.20

4.5.15

Fixed in WordPress 4.5.19

4.6.12

Fixed in WordPress 4.6.16

4.7.11

Fixed in WordPress 4.7.15

4.8.7

Fixed in WordPress 4.8.11

4.9.7

Fixed in WordPress 4.9.12

4.9.8

Fixed in WordPress 4.9.12

5.0

Fixed in WordPress 5.0.7

5.0.1

Fixed in WordPress 5.0.7

4.9.9

Fixed in WordPress 4.9.12

4.8.8

Fixed in WordPress 4.8.11

4.7.12

Fixed in WordPress 4.7.15

4.6.13

Fixed in WordPress 4.6.16

4.5.16

Fixed in WordPress 4.5.19

4.4.17

Fixed in WordPress 4.4.20

4.3.18

Fixed in WordPress 4.3.21

4.2.22

Fixed in WordPress 4.2.25

4.1.25

Fixed in WordPress 4.1.28

4.0.25

Fixed in WordPress 4.0.28

3.9.26

Fixed in WordPress 3.9.29

3.8.28

Fixed in WordPress 3.8.31

3.7.28

Fixed in WordPress 3.7.31

5.0.2

Fixed in WordPress 5.0.7

5.0.3

Fixed in WordPress 5.0.7

5.1

Fixed in WordPress 5.1.3

5.1.1

Fixed in WordPress 5.1.3

5.0.4

Fixed in WordPress 5.0.7

4.9.10

Fixed in WordPress 4.9.12

4.8.9

Fixed in WordPress 4.8.11

4.7.13

Fixed in WordPress 4.7.15

4.6.14

Fixed in WordPress 4.6.16

4.5.17

Fixed in WordPress 4.5.19

4.4.18

Fixed in WordPress 4.4.20

4.3.19

Fixed in WordPress 4.3.21

4.2.23

Fixed in WordPress 4.2.25

4.1.26

Fixed in WordPress 4.1.28

4.0.26

Fixed in WordPress 4.0.28

3.9.27

Fixed in WordPress 3.9.29

3.8.29

Fixed in WordPress 3.8.31

3.7.29

Fixed in WordPress 3.7.31

5.2

Fixed in WordPress 5.2.4

5.2.1

Fixed in WordPress 5.2.4

5.2.2

Fixed in WordPress 5.2.4

5.2.3

Fixed in WordPress 5.2.4

5.1.2

Fixed in WordPress 5.1.3

5.0.6

Fixed in WordPress 5.0.7

4.9.11

Fixed in WordPress 4.9.12

4.8.10

Fixed in WordPress 4.8.11

4.7.14

Fixed in WordPress 4.7.15

4.6.15

Fixed in WordPress 4.6.16

4.5.18

Fixed in WordPress 4.5.19

4.4.19

Fixed in WordPress 4.4.20

4.3.20

Fixed in WordPress 4.3.21

4.2.24

Fixed in WordPress 4.2.25

4.1.27

Fixed in WordPress 4.1.28

4.0.27

Fixed in WordPress 4.0.28

3.9.28

Fixed in WordPress 3.9.29

3.8.30

Fixed in WordPress 3.8.31

3.7.30

Fixed in WordPress 3.7.31

References

CVE

CVE-2019-17669

CVE

CVE-2019-17670

URL

https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/

URL

https://github.com/WordPress/WordPress/commit/9db44754b9e4044690a6c32fd74b9d5fe26b07b2

URL

https://blog.wpscan.com/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html

Classification

Type

SSRF

OWASP top 10

A1: Injection

CWE

CWE-918

CVSS

9.8 (critical)

Miscellaneous

Original Researcher

Eugene Kolodenker

Verified

WPVDB ID

26a26de2-d598-405d-b00c-61f71cfacff6

Timeline

Publicly Published

2019-10-14 (about 6 years ago)

Added

2019-10-15 (about 6 years ago)

Last Updated

2020-09-22 (about 5 years ago)

Other

Published

Title

Published

2024-03-13

Title

Automatic < 3.92.1 - Unauthenticated Arbitrary File Download and Server-Side Request Forgery

Published

2025-11-05

Title

Blog2Social: Social Media Auto Post & Scheduler < 8.6.1 - Authenticated (Subscriber+) Blind Server-Side Request Forgery via post_url

Published

2025-03-25

Title

Zapier for WordPress < 1.5.2 - Authenticated (Subscriber+) Blind Server-Side Request Forgery via updated_user Function

Published

2024-03-07

Title

Pz-LinkCard < 2.5.3 - Contributor+ SSRF

Published

2025-10-24

Title

Slider Templates <= 1.0.3 - Authenticated (Subscriber+) Server-Side Request Forgery