Exploit WordPress opens up ability to intercept password reset – update

WordPress Core contains an unpatched vulnerability that under certain circumstances allows attackers to reset user passwords and gain access to the accounts.

Vulnerability CVE-2017-8295 affects all versions of WordPress, including the most recent, version 4.7.4. The problem lies in the way WordPress sets up the reset emails, claims Dawid Golunski of Legal Hackers, who explains the vulnerability via ExploitBox.

WordPress obtains the hostname for the From/Return header of the reset mail via a SERVER_NAME variable, Golunski describes. “Some large web servers, such as Apache, set the SERVER_NAME variable based on the hostname set by the client,” explains the researcher. This opens up possibilities for an attacker to modify the variable to a different domain and intercept the reset link in the mail.

As a possible scenario, Golunski mentions performing a dos attack on the victim’s email account, so that the reset email bounces to the attacker’s domain. A victim could also be persuaded to send a reply, for example after having reset emails sent several times, to which the target may want text and explanation.

No patch is available yet, though users can enable a temporary work-around by using UseCanonicalName, which generates a static SERVER_NAME value. Golunksy claims to have notified WordPress multiple times since July 2016, without success. The case also didn’t get through via HackerOne, so he decided to publish.

Update, Monday, May 8, 13.00: A patch is not yet available but patches have been suggested in the respective Trac entry for WordPress Core.