The wphttpvalidate_url function in wp-includes/http.php in WordPress before 4.4.2 allows remote attackers to conduct server-side request forgery (SSRF) attacks via a zero value in the first octet of an IPv4 address in the u parameter to wp-admin/press-this.php.
{ "availability": "No subscription required", "binaries": [ { "binary_name": "wordpress", "binary_version": "4.4.2+dfsg-1" }, { "binary_name": "wordpress-l10n", "binary_version": "4.4.2+dfsg-1" }, { "binary_name": "wordpress-theme-twentyfifteen", "binary_version": "4.4.2+dfsg-1" }, { "binary_name": "wordpress-theme-twentyfourteen", "binary_version": "4.4.2+dfsg-1" }, { "binary_name": "wordpress-theme-twentysixteen", "binary_version": "4.4.2+dfsg-1" } ] }