// For flags

CVE-2017-8295

Wordpress Core < 5.5 - Unauthorized Password Reset via Interception

Severity Score

5.9
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

4
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

WordPress through 4.7.4 relies on the Host HTTP header for a password-reset e-mail message, which makes it easier for remote attackers to reset arbitrary passwords by making a crafted wp-login.php?action=lostpassword request and then arranging for this message to bounce or be resent, leading to transmission of the reset key to a mailbox on an attacker-controlled SMTP server. This is related to problematic use of the SERVER_NAME variable in wp-includes/pluggable.php in conjunction with the PHP mail function. Exploitation is not achievable in all cases because it requires at least one of the following: (1) the attacker can prevent the victim from receiving any e-mail messages for an extended period of time (such as 5 days), (2) the victim's e-mail system sends an autoresponse containing the original message, or (3) the victim manually composes a reply containing the original message.

WordPress hasta la versión 4.7.4 se basa en el encabezado HOST de HTTP para un mensaje de correo electrónico de restablecimiento de contraseña, lo que hace más fácil para los atacantes remotos restablecer contraseñas arbitrarias mediante una solicitud wp-login.php?action=lostpassword especialmente diseñada y después hacer lo necesario para que dicho mensaje se devuelva o sea reenviado, dando lugar a la transmisión de la clave de restablecimiento a un buzón en un servidor SMTP controlado por el atacante. Esto está relacionado con el uso problemático de la variable SERVER_NAME en wp-includes/pluggable.php junto con la función de correo de PHP. La explotación no es posible en todos los casos porque requiere al menos uno de los siguientes: (1) el atacante puede evitar que la víctima reciba mensajes de correo electrónico durante un período de tiempo prolongado (como 5 días), (2) el sistema de correo electrónico de la víctima envía una respuesta automática que contiene el mensaje original, o (3) la víctima compone manualmente una respuesta que contiene el mensaje original.

WordPress up to version 5.5 relies on the Host HTTP header for a password-reset e-mail message, which makes it easier for remote attackers to reset arbitrary passwords by making a crafted wp-login.php?action=lostpassword request and then arranging for this message to bounce or be resent, leading to transmission of the reset key to a mailbox on an attacker-controlled SMTP server. This is related to problematic use of the SERVER_NAME variable in wp-includes/pluggable.php in conjunction with the PHP mail function. Exploitation is not achievable in all cases because it requires at least one of the following: (1) the attacker can prevent the victim from receiving any e-mail messages for an extended period of time (such as 5 days), (2) the victim's e-mail system sends an autoresponse containing the original message, or (3) the victim manually composes a reply containing the original message.

*Credits: Dawid Golunski
CVSS Scores
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
None
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2017-04-27 CVE Reserved
  • 2017-05-03 CVE Published
  • 2017-05-04 First Exploit
  • 2024-08-05 CVE Updated
  • 2024-11-16 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-640: Weak Password Recovery Mechanism for Forgotten Password
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Wordpress
Search vendor "Wordpress"
Wordpress
Search vendor "Wordpress" for product "Wordpress"
<= 4.7.4
Search vendor "Wordpress" for product "Wordpress" and version " <= 4.7.4"
-
Affected