cbcvebase.
CVE-2017-8295
published 2017-05-04

CVE-2017-8295: WordPress through 4.7.4 relies on the Host HTTP header for a password-reset e-mail message, which makes it easier for remote attackers to reset arbitrary…

PriorityP275medium5.9CVSS 3.0
AVNACHPRNUINSUCNIHAN
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
26.70%
97.8th percentile
WordPress through 4.7.4 relies on the Host HTTP header for a password-reset e-mail message, which makes it easier for remote attackers to reset arbitrary passwords by making a crafted wp-login.php?action=lostpassword request and then arranging for this message to bounce or be resent, leading to transmission of the reset key to a mailbox on an attacker-controlled SMTP server. This is related to problematic use of the SERVER_NAME variable in wp-includes/pluggable.php in conjunction with the PHP mail function. Exploitation is not achievable in all cases because it requires at least one of the following: (1) the attacker can prevent the victim from receiving any e-mail messages for an extended period of time (such as 5 days), (2) the victim's e-mail system sends an autoresponse containing the original message, or (3) the victim manually composes a reply containing the original message.

Affected

6 ranges
VendorProductVersion rangeFixed in
debianwordpress< wordpress 4.7.5+dfsg-2 (bookworm)wordpress 4.7.5+dfsg-2 (bookworm)
wordpresswordpress<= 4.7.4
wordpresswordpress>= 0 < 4.7.5+dfsg-24.7.5+dfsg-2
wordpresswordpress>= 0 < 4.7.5+dfsg-24.7.5+dfsg-2
wordpresswordpress>= 0 < 4.7.5+dfsg-24.7.5+dfsg-2
wordpresswordpress>= 0 < 4.7.5+dfsg-24.7.5+dfsg-2

Detection & IOCsextracted from sources · hover to see the quote

urlwp-login.php?action=lostpassword
pathwp-includes/pluggable.php
  • Monitor HTTP requests to wp-login.php?action=lostpassword that contain a manipulated or attacker-controlled Host header, which is used by WordPress to construct the password-reset email's Return-Path, From, and Message-ID fields.
  • Inspect outgoing password-reset emails for Return-Path, From, and Message-ID headers containing an unexpected or attacker-controlled domain, indicating Host header injection via SERVER_NAME.
  • Alert on password-reset emails where the embedded reset link hostname does not match the legitimate WordPress site hostname, as this indicates a Host header injection attack.
  • ·Exploitation requires at least one of three conditions: attacker blocks victim email for an extended period (~5 days), victim's email system sends an autoresponse with the original message, or victim manually replies with the original message — making exploitation conditional and not universally achievable.
  • ·The vulnerability is rooted in WordPress's use of the SERVER_NAME variable (derived from the Host HTTP header) in wp-includes/pluggable.php when calling the PHP mail function; patched in WordPress 4.7.5.

CVSS provenance

nvdv3.05.9MEDIUMCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv5.9MEDIUM
vulncheck5.9MEDIUM
vendor_debian5.9MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.