CVE-2017-8295
published 2017-05-04CVE-2017-8295: WordPress through 4.7.4 relies on the Host HTTP header for a password-reset e-mail message, which makes it easier for remote attackers to reset arbitrary…
PriorityP275medium5.9CVSS 3.0
AVNACHPRNUINSUCNIHAN
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
26.70%
97.8th percentile
WordPress through 4.7.4 relies on the Host HTTP header for a password-reset e-mail message, which makes it easier for remote attackers to reset arbitrary passwords by making a crafted wp-login.php?action=lostpassword request and then arranging for this message to bounce or be resent, leading to transmission of the reset key to a mailbox on an attacker-controlled SMTP server. This is related to problematic use of the SERVER_NAME variable in wp-includes/pluggable.php in conjunction with the PHP mail function. Exploitation is not achievable in all cases because it requires at least one of the following: (1) the attacker can prevent the victim from receiving any e-mail messages for an extended period of time (such as 5 days), (2) the victim's e-mail system sends an autoresponse containing the original message, or (3) the victim manually composes a reply containing the original message.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | wordpress | < wordpress 4.7.5+dfsg-2 (bookworm) | wordpress 4.7.5+dfsg-2 (bookworm) |
| wordpress | wordpress | <= 4.7.4 | — |
| wordpress | wordpress | >= 0 < 4.7.5+dfsg-2 | 4.7.5+dfsg-2 |
| wordpress | wordpress | >= 0 < 4.7.5+dfsg-2 | 4.7.5+dfsg-2 |
| wordpress | wordpress | >= 0 < 4.7.5+dfsg-2 | 4.7.5+dfsg-2 |
| wordpress | wordpress | >= 0 < 4.7.5+dfsg-2 | 4.7.5+dfsg-2 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP requests to wp-login.php?action=lostpassword that contain a manipulated or attacker-controlled Host header, which is used by WordPress to construct the password-reset email's Return-Path, From, and Message-ID fields. ↗
- →Inspect outgoing password-reset emails for Return-Path, From, and Message-ID headers containing an unexpected or attacker-controlled domain, indicating Host header injection via SERVER_NAME. ↗
- →Alert on password-reset emails where the embedded reset link hostname does not match the legitimate WordPress site hostname, as this indicates a Host header injection attack. ↗
- ·Exploitation requires at least one of three conditions: attacker blocks victim email for an extended period (~5 days), victim's email system sends an autoresponse with the original message, or victim manually replies with the original message — making exploitation conditional and not universally achievable. ↗
- ·The vulnerability is rooted in WordPress's use of the SERVER_NAME variable (derived from the Host HTTP header) in wp-includes/pluggable.php when calling the PHP mail function; patched in WordPress 4.7.5. ↗
CVSS provenance
nvdv3.05.9MEDIUMCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv5.9MEDIUM
vulncheck5.9MEDIUM
vendor_debian5.9MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2017-8295: wordpress - WordPress through 4.7.4 relies on the Host HTTP header for a password-reset e-ma...
vendor_debian·2017·CVSS 5.9
CVE-2017-8295 [MEDIUM] CVE-2017-8295: wordpress - WordPress through 4.7.4 relies on the Host HTTP header for a password-reset e-ma...
WordPress through 4.7.4 relies on the Host HTTP header for a password-reset e-mail message, which makes it easier for remote attackers to reset arbitrary passwords by making a crafted wp-login.php?action=lostpassword request and then arranging for this message to bounce or be resent, leading to transmission of the reset key to a mailbox on an attacker-controlled SMTP server. This is related to problematic use of the SERVER_NAME variable in wp-includes/pluggable.php in conjunction with the PHP mail function. Exploitation is not achievable in all cases because it requires at least one of the following: (1) the attacker can prevent the victim from receiving any e-mail messages for an extended period of time (such as 5 days), (2) the victim's e-mail system sends an autoresponse containing the
GHSA
GHSA-xr65-2gpf-fj8v: WordPress through 4
ghsa_unreviewed·2022-05-17
CVE-2017-8295 [MEDIUM] CWE-640 GHSA-xr65-2gpf-fj8v: WordPress through 4
WordPress through 4.7.4 relies on the Host HTTP header for a password-reset e-mail message, which makes it easier for remote attackers to reset arbitrary passwords by making a crafted wp-login.php?action=lostpassword request and then arranging for this message to bounce or be resent, leading to transmission of the reset key to a mailbox on an attacker-controlled SMTP server. This is related to problematic use of the SERVER_NAME variable in wp-includes/pluggable.php in conjunction with the PHP mail function. Exploitation is not achievable in all cases because it requires at least one of the following: (1) the attacker can prevent the victim from receiving any e-mail messages for an extended period of time (such as 5 days), (2) the victim's e-mail system sends an autoresponse containing the
OSV
CVE-2017-8295: WordPress through 4
osv·2017-05-04·CVSS 5.9
CVE-2017-8295 [MEDIUM] CVE-2017-8295: WordPress through 4
WordPress through 4.7.4 relies on the Host HTTP header for a password-reset e-mail message, which makes it easier for remote attackers to reset arbitrary passwords by making a crafted wp-login.php?action=lostpassword request and then arranging for this message to bounce or be resent, leading to transmission of the reset key to a mailbox on an attacker-controlled SMTP server. This is related to problematic use of the SERVER_NAME variable in wp-includes/pluggable.php in conjunction with the PHP mail function. Exploitation is not achievable in all cases because it requires at least one of the following: (1) the attacker can prevent the victim from receiving any e-mail messages for an extended period of time (such as 5 days), (2) the victim's e-mail system sends an autoresponse containing the
VulnCheck
WordPress wordpress Weak Password Recovery Mechanism for Forgotten Password
vulncheck·2017·CVSS 5.9
CVE-2017-8295 [MEDIUM] WordPress wordpress Weak Password Recovery Mechanism for Forgotten Password
WordPress wordpress Weak Password Recovery Mechanism for Forgotten Password
WordPress through 4.7.4 relies on the Host HTTP header for a password-reset e-mail message, which makes it easier for remote attackers to reset arbitrary passwords by making a crafted wp-login.php?action=lostpassword request and then arranging for this message to bounce or be resent, leading to transmission of the reset key to a mailbox on an attacker-controlled SMTP server. This is related to problematic use of the SERVER_NAME variable in wp-includes/pluggable.php in conjunction with the PHP mail function. Exploitation is not achievable in all cases because it requires at least one of the following: (1) the attacker can prevent the victim from receiving any e-mail messages for an extended period of time (such as
No detection rules found.
Checkpoint
2017-5-8 Global Cyber Attack Reports
blogs_checkpoint·2017-05-08
CVE-2017-5689 2017-5-8 Global Cyber Attack Reports
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 2017-5-8 Global Cyber Attack Reports
TOP ATTACKS AND BREACHES
A new phishing campaign has hit Gmail users. In the attack, malicious emails with a request to access a
Google Doc were received by victims. Once entered, a fake Google Docs application asked for permissions to victims’ Gmail accounts, and then sent similar phishing emails to his/her contacts. The attack was blocked by Google within an hour after the first reports of it. A day after the attack, a Twitter account was used to take responsibility over it
HackerOne
Wordpress Vulnerable to Potential Unauthorized Password Reset
hackerone·2017-08-15·CVSS 5.9
[MEDIUM] Wordpress Vulnerable to Potential Unauthorized Password Reset
Wordpress Vulnerable to Potential Unauthorized Password Reset
Hi Team,
Yesterday, a new 0day on wordpress core has been discovered by Dawid Golunski, so i want you guys to be aware of it to take an immediate action since nextcloud was using wordpress.
>Wordpress has a password reset feature that contains a vulnerability which
might in some cases allow attackers to get hold of the password reset link
without previous authentication.
Such attack could lead to an attacker gaining unauthorised access to a
victim's WordPress account.
Affected WP version is up to the latest one `4.7.4` , so while waiting for the release of the new version that will fix the issue, you may want to apply a temporary solution, enable `UseCanonicalName` to enforce static SERVER_NAME value.
You can see the full d
Bugzilla
CVE-2017-8295 wordpress: Usage of Host HTTP header for a password-reset e-mail message
bugzilla·2017-05-09·CVSS 5.9
CVE-2017-8295 [MEDIUM] CVE-2017-8295 wordpress: Usage of Host HTTP header for a password-reset e-mail message
CVE-2017-8295 wordpress: Usage of Host HTTP header for a password-reset e-mail message
WordPress through 4.7.4 relies on the Host HTTP header for a password-reset e-mail message, which makes it easier for remote attackers to reset arbitrary passwords by making a crafted wp-login.php?action=lostpassword request and then arranging for this message to bounce or be resent, leading to transmission of the reset key to a mailbox on an attacker-controlled SMTP server. This is related to problematic use of the SERVER_NAME variable in wp-includes/pluggable.php in conjunction with the PHP mail function. Exploitation is not achievable in all cases because it requires at least one of the following: (1) the attacker can prevent the victim from receiving any e-mail messages for an extended period of tim
Bugzilla
CVE-2017-8295 wordpress: Usage of Host HTTP header for a password-reset e-mail message [epel-all]
bugzilla·2017-05-09·CVSS 5.9
CVE-2017-8295 [MEDIUM] CVE-2017-8295 wordpress: Usage of Host HTTP header for a password-reset e-mail message [epel-all]
CVE-2017-8295 wordpress: Usage of Host HTTP header for a password-reset e-mail message [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple
Bugzilla
CVE-2017-8295 wordpress: Usage of Host HTTP header for a password-reset e-mail message [fedora-all]
bugzilla·2017-05-09·CVSS 5.9
CVE-2017-8295 [MEDIUM] CVE-2017-8295 wordpress: Usage of Host HTTP header for a password-reset e-mail message [fedora-all]
CVE-2017-8295 wordpress: Usage of Host HTTP header for a password-reset e-mail message [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multi
http://www.debian.org/security/2017/dsa-3870http://www.securityfocus.com/bid/98295http://www.securitytracker.com/id/1038403https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.htmlhttps://wpvulndb.com/vulnerabilities/8807https://www.exploit-db.com/exploits/41963/http://www.debian.org/security/2017/dsa-3870http://www.securityfocus.com/bid/98295http://www.securitytracker.com/id/1038403https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.htmlhttps://wpvulndb.com/vulnerabilities/8807https://www.exploit-db.com/exploits/41963/
2017-05-04
Published
Exploited in the wild