Hi @naber –
The threat you’ve asked about is a long-standing vulnerability that has been present in the WordPress software for some time, but we only recently added it to our threat database, so that’s why it has just appeared in your scan results only now. However, the vulnerability is not new. There is not currently a fix or patch available for the vulnerability, because it impacts the current version of WordPress, so updating the WordPress software will not resolve the issue.
In most situations, it is safe to ignore this particular vulnerability. Although the risk is low, if you are concerned about your site being specifically targeted and attacked, you could make sure that your WordPress instance is isolated in a separate IP-segment that does not have access to other services within the internal network.
This information is quite technical, but you can check it out if you’re interested to learn more:
https://blog.sonarsource.com/wordpress-core-unauthenticated-blind-ssrf/
The vulnerability will continue to appear in your Jetpack Protect scan results until the issue is patched in the WordPress software.
Please let us know if we can help with anything else.
C’mom guys, that’s a shame for WordPress :
2022-01-21 – We submit the vulnerability to the maintainers with a 90-day disclosure policy.
2022-01-21 – Our submission is triaged as Duplicate against a report originally sent (exactly) 5 years ago (2017-01-21).
As mentioned above, this will need to get fixed in WordPress. It isn’t something that we can fix on our end.
