Skip Ribbon Commands
Skip to main content
Computer Security Incident Response Team of Mauritius (CERT-MU)

VN-2017-66


WordPress Password Reset Server Name Validation Flaw Lets Remote Users Obtain Password Reset Information for the Target User in Certain Cases
Severity Rating: Medium
Systems Affected:
  • WordPress version 4.7.4 and prior
Description
A vulnerability was reported in WordPress and can be exploited by remote attackers to obtain a password reset code for the target user in certain cases. The vulnerability exists because the password reset function uses the PHP '$_SERVER['SERVER_NAME']' function and does not properly validate the site domain name. This vulnerability can allow a remote user to supply a specially crafted HTTP_HOST header value to the password reset page to, on some web server configurations, modify the SMTP 'From' or 'Return-Path' email header values used for sending the password reset email. If the target user's email server is not able to deliver SMTP messages to the target user, the password reset email may be returned to the remote user's email address.
 
Solution
Users are advised to apply updates.
More information about the update is available on:
 
Vendor Information
WordPress
 
CVE Information
 
References
SecurityTracker
 
Exploit
 
Contact Information
 
Postal address
Mauritian Computer Emergency Response Team (CERT-MU)
National Computer Board
7th Floor, Stratton Court
La Poudriere Street
Port Louis