CVE-2017-8295

Wordpress Core < 5.5 - Unauthorized Password Reset via Interception

Severity Score

5.9

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

WordPress through 4.7.4 relies on the Host HTTP header for a password-reset e-mail message, which makes it easier for remote attackers to reset arbitrary passwords by making a crafted wp-login.php?action=lostpassword request and then arranging for this message to bounce or be resent, leading to transmission of the reset key to a mailbox on an attacker-controlled SMTP server. This is related to problematic use of the SERVER_NAME variable in wp-includes/pluggable.php in conjunction with the PHP mail function. Exploitation is not achievable in all cases because it requires at least one of the following: (1) the attacker can prevent the victim from receiving any e-mail messages for an extended period of time (such as 5 days), (2) the victim's e-mail system sends an autoresponse containing the original message, or (3) the victim manually composes a reply containing the original message.

WordPress hasta la versión 4.7.4 se basa en el encabezado HOST de HTTP para un mensaje de correo electrónico de restablecimiento de contraseña, lo que hace más fácil para los atacantes remotos restablecer contraseñas arbitrarias mediante una solicitud wp-login.php?action=lostpassword especialmente diseñada y después hacer lo necesario para que dicho mensaje se devuelva o sea reenviado, dando lugar a la transmisión de la clave de restablecimiento a un buzón en un servidor SMTP controlado por el atacante. Esto está relacionado con el uso problemático de la variable SERVER_NAME en wp-includes/pluggable.php junto con la función de correo de PHP. La explotación no es posible en todos los casos porque requiere al menos uno de los siguientes: (1) el atacante puede evitar que la víctima reciba mensajes de correo electrónico durante un período de tiempo prolongado (como 5 días), (2) el sistema de correo electrónico de la víctima envía una respuesta automática que contiene el mensaje original, o (3) la víctima compone manualmente una respuesta que contiene el mensaje original.

WordPress up to version 5.5 relies on the Host HTTP header for a password-reset e-mail message, which makes it easier for remote attackers to reset arbitrary passwords by making a crafted wp-login.php?action=lostpassword request and then arranging for this message to bounce or be resent, leading to transmission of the reset key to a mailbox on an attacker-controlled SMTP server. This is related to problematic use of the SERVER_NAME variable in wp-includes/pluggable.php in conjunction with the PHP mail function. Exploitation is not achievable in all cases because it requires at least one of the following: (1) the attacker can prevent the victim from receiving any e-mail messages for an extended period of time (such as 5 days), (2) the victim's e-mail system sends an autoresponse containing the original message, or (3) the victim manually composes a reply containing the original message.

*Credits: Dawid Golunski

CVSS Scores

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2017-04-27 CVE Reserved
2017-05-03 CVE Published
2017-05-04 First Exploit
2024-06-26 EPSS Updated
2024-08-05 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-640: Weak Password Recovery Mechanism for Forgotten Password

CAPEC

References (8)

URL	Tag	Source
http://www.securityfocus.com/bid/98295	Third Party Advisory
http://www.securitytracker.com/id/1038403	Vdb Entry
https://wpvulndb.com/vulnerabilities/8807	X_refsource_misc

URL	Date	SRC
https://www.exploit-db.com/exploits/41963	2024-08-05
https://github.com/cyberheartmi9/CVE-2017-8295	2019-10-22
https://github.com/homjxi0e/CVE-2017-8295-WordPress-4.7.4---Unauthorized-Password-Reset	2017-05-04
https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html	2024-08-05

URL	Date	SRC

URL	Date	SRC
http://www.debian.org/security/2017/dsa-3870	2017-11-04

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				<= 4.7.4 Search vendor "Wordpress" for product "Wordpress" and version " <= 4.7.4"		-		Affected