Weak Password Recovery Mechanism for Forgotten Password Affecting wordpress package, versions <4.7.5+dfsg-2
Threat Intelligence
Snyk has a published code exploit for this vulnerability.
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Weak Password Recovery Mechanism for Forgotten Password vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-DEBIANUNSTABLE-WORDPRESS-363433
- published4 May 2017
- disclosed4 May 2017
Introduced: 4 May 2017
CVE-2017-8295 (opens in a new tab)How to fix?
Upgrade Debian:unstable wordpress to version 4.7.5+dfsg-2 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream wordpress package and not the wordpress package as distributed by Debian.
See How to fix? for Debian:unstable relevant fixed versions and status.
WordPress through 4.7.4 relies on the Host HTTP header for a password-reset e-mail message, which makes it easier for remote attackers to reset arbitrary passwords by making a crafted wp-login.php?action=lostpassword request and then arranging for this message to bounce or be resent, leading to transmission of the reset key to a mailbox on an attacker-controlled SMTP server. This is related to problematic use of the SERVER_NAME variable in wp-includes/pluggable.php in conjunction with the PHP mail function. Exploitation is not achievable in all cases because it requires at least one of the following: (1) the attacker can prevent the victim from receiving any e-mail messages for an extended period of time (such as 5 days), (2) the victim's e-mail system sends an autoresponse containing the original message, or (3) the victim manually composes a reply containing the original message.
References
- https://security-tracker.debian.org/tracker/CVE-2017-8295
- http://www.debian.org/security/2017/dsa-3870
- https://www.exploit-db.com/exploits/41963/
- https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html
- https://wpvulndb.com/vulnerabilities/8807
- http://www.securityfocus.com/bid/98295
- http://www.securitytracker.com/id/1038403
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-8295
- https://www.exploit-db.com/exploits/41963