WordPress is vulnerable to a logical glitch that could allow a remote attacker to reset targeted users’ password under certain circumstances.
The glitch (CVE-2017-8295) is more dangerous than it seems because it affect all versions of WordPress — including the latest 4.7.4 version.
The WordPress flaw was discovered by Polish security researcher Dawid Golunski of Legal Hackers last year in July and reported it to the WordPress security team, who decided to ignore this issue, leaving millions of websites vulnerable.
He is also the person that discovered a critical vulnerability in the popular open source PHPMailer libraries that allowed malicious actors to remotely execute arbitrary code in the context of the web server and compromise the target web application.
HOW IT OCCURS
WordPress has the facility of changing password if forgotten by just clicking the “Forgot Password” button, then a mail is sent to the admin of the account.
While sending this email, WordPress uses a variable called SERVER_NAME to obtain the hostname of a server to set values of the From/Return-Path fields.
According to Golunski, an attacker can send a spoofed HTTP request with a predefined custom hostname value (for example attacker-mxserver.com), while initiating password reset process for a targeted admin user.
Path fields in the password reset email will be modified to include an email ID associated with the attacker’s domain, i.e. firstname.lastname@example.org, instead of email@example.com.
Follow : @techie_geeks