{"id":"CVE-2016-4029","details":"WordPress before 4.5 does not consider octal and hexadecimal IP address formats when determining an intranet address, which allows remote attackers to bypass an intended SSRF protection mechanism via a crafted address.","modified":"2026-05-18T05:48:30.114642262Z","published":"2016-08-07T16:59:00.143Z","database_specific":{"unresolved_ranges":[{"cpes":["cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*"],"vendor_product":"debian:debian_linux","source":"CPE_FIELD","extracted_events":[{"last_affected":"8.0"}]}]},"references":[{"type":"WEB","url":"https://wpvulndb.com/vulnerabilities/8473"},{"type":"ADVISORY","url":"http://codex.wordpress.org/Version_4.5"},{"type":"ADVISORY","url":"http://www.securitytracker.com/id/1036594"},{"type":"FIX","url":"https://core.trac.wordpress.org/query?status=closed&milestone=4.5"},{"type":"ARTICLE","url":"http://www.debian.org/security/2016/dsa-3681"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/wordpress/wordpress","events":[{"introduced":"0"},{"fixed":"e3aafee3f2bc07e09bf79389f20ea3db731466c3"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"4.5"}],"cpe":"cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*","source":"CPE_FIELD"}}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2016-4029.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/wordpress/wordpress-develop","events":[{"introduced":"0"},{"fixed":"7acf453090c10537e6f41fc4cf2608d7bbcce8ca"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"4.5"}],"cpe":"cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*","source":"CPE_FIELD"}}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2016-4029.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N"}]}