WordPress Password Reset Server Name Validation Flaw Lets Remote Users Obtain Password Reset Information for the Target User in Certain Cases
Severity Rating: Medium
- WordPress version 4.7.4 and prior
A vulnerability was reported in WordPress and can be exploited by remote attackers to obtain a password reset code for the target user in certain cases. The vulnerability exists because the password reset function uses the PHP '$_SERVER['SERVER_NAME']' function and does not properly validate the site domain name. This vulnerability can allow a remote user to supply a specially crafted HTTP_HOST header value to the password reset page to, on some web server configurations, modify the SMTP 'From' or 'Return-Path' email header values used for sending the password reset email. If the target user's email server is not able to deliver SMTP messages to the target user, the password reset email may be returned to the remote user's email address.
Users are advised to apply updates.
More information about the update is available on:
Mauritian Computer Emergency Response Team (CERT-MU)
National Computer Board
7th Floor, Stratton Court
La Poudriere Street