A newly discovered, unpatched vulnerability in all versions of WordPress could allow hackers to reset targeted admin passwords, according to newly published research.
The vulnerability (CVE-2017-8295), discovered by Polish researcher Dawid Golunski, is related to WordPress using a variable named “SERVER_NAME” to obtain the hostname of a server when setting the From/Return-Path header in password reset emails sent to users. The way that is set up could allow an attacker to craft a malicious HTTP request that triggers a password reset operation by injecting a custom SERVER_NAME variable such as “email@example.com.” That means that when a WordPress installation generates the password reset email, the “From” and “Return-Path” values will be in the form of “firstname.lastname@example.org.”
“Depending on the configuration of the mail server, it may result in an email that gets sent to the victim WordPress user with such malicious From/Return-Path address set in the email headers,” Golunski wrote. “This could possibly allow the attacker to intercept the email containing the password reset link in some cases requiring user interaction as well as without user interaction.”
There are, however, only three scenarios in which a WordPress installation could be tricked, according to Golunski. The first involves a hacker performing a denial-of-service attack on the victim’s email account in order to prevent the password reset email from reaching the victim’s account, allowing the email to bounce back to the malicious sender address. The second involves the ability of some auto-responders to attach a copy of the email sent in the body of the auto-replied message. And the third involves the use of sending multiple password reset emails to prompt a targeted victim to ask for an explanation which could contain the malicious password link.
While the vulnerability itself is concerning, perhaps more disturbing is that fact that Golunski claims to have discovered it in July last year and informed WordPress, which he said subsequently ignored the issue.
“This issue has been reported to WordPress security team multiple times with the first report sent back in July 2016. It was reported both directly via security contact email, as well as via HackerOne website,” Golunski noted. “As there has been no progress, in this case, this advisory is finally released to the public without an official patch.”
While there is no patch available for the vulnerability, Hacker News suggests that WordPress admins can mitigate the risk by updating their server configuration to enable UseCanonicalName to enforce static/predefined SERVER_NAME value.