WordPress Zero-Day Exposes Password Reset Emails

A security expert has discovered a zero-day vulnerability in the WordPress password reset mechanism that allows an attacker to obtain the password reset link.

Threat ID:: CC-1393
Category:
Threat Severity:: Low
Threat Vector:: Zero day
Published:: 8 May 2017 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

A security expert has discovered a zero-day vulnerability in the WordPress password reset mechanism that allows an attacker to obtain the password reset link.

Affected platforms

The following platforms are known to be affected:

WordPress Core

WordPress - all versions

Threat details

The vulnerability, tracked via the CVE-2017-8295 identifier, affects all WordPress versions and is related to how WordPress sites put together the password reset emails.

An attacker can craft a malicious HTTP request that triggers a tainted password reset operation by injecting a custom SERVER_NAME variable, such as "attacker-domain.com". Therefore when the WordPress site puts together the password reset email, the "From" and "Return-Path" values will be in the form of "[email protected]".

Remediation steps

Type	Step
	Users can enable the UseCanonicalName setting on Apache to enforce a static SERVER_NAME Ensure all WordPress websites have all relevant updates and patches applied.

CVE Vulnerabilities

Status

CVE-2017-8295

Last edited: 17 February 2020 11:41 am