CVE-2016-2221 — Vulnetix

CVE-2016-2221 REJECTED

Open redirect vulnerability in the wp_validate_redirect function in wp-includes/pluggable.php in WordPress before 4.4.2 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a malformed URL that triggers incorrect hostname parsing, as demonstrated by an https:example.com URL.

EPSS 3.47% · 87.8th percentile

Risk Scores

EPSS Score

3.47%

87.8th percentile

Affected Products

Vendor	Product	Versions
Ubuntu:16.04:LTS	wordpress	0, 4.3+dfsg-1, 4.3.1+dfsg-1

Exploit Intelligence

https://codex.wordpress.org/Version_4.4.2 (circl)
1034933 (circl)
82463 (circl)
https://core.trac.wordpress.org/changeset/36444 (circl)
https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/ (circl)
DSA-3472 (circl)
https://wpvulndb.com/vulnerabilities/8377 (circl)

Timeline

May 22, 2016 CVE Published
Feb 4, 2022 EPSS Score
Mar 7, 2023 EPSS Score
Aug 5, 2024 CVE Updated
Mar 17, 2025 EPSS Score
Mar 23, 2025 EPSS Score
Mar 24, 2025 EPSS Score
Mar 29, 2025 EPSS Score
Mar 30, 2025 EPSS Score
May 1, 2025 EPSS Score
May 4, 2025 EPSS Score
Jun 1, 2025 EPSS Score

References

https://ubuntu.com/security/CVE-2016-2221 third-party-advisory
https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/ third-party-advisory
https://core.trac.wordpress.org/changeset/36444 third-party-advisory
http://www.openwall.com/lists/oss-security/2016/02/04/4 third-party-advisory
https://www.cve.org/CVERecord?id=CVE-2016-2221 third-party-advisory

Open in Interactive Console →