WordPress 2.3.0 - 4.8.3 Unauthorized Password Reset

medium Nessus Plugin ID 100028

Synopsis

A PHP application running on the remote web server is affected by a security bypass vulnerability.

Description

According to its self-reported version number, the WordPress application running on the remote web server is 4.7.x. It is, therefore, affected by a flaw in the wp_mail() function within file wp-includes/pluggable.php due to the improper usage of the SERVER_NAME variable, specifically when input from the HTTP Host header is assigned to SERVER_NAME. An unauthenticated, remote attacker can exploit this issue to reset arbitrary passwords by means of a crafted 'wp-login.php?action=lostpassword' request, which is then bounced or resent, resulting in the transmission of the reset key to a mailbox on an SMTP server under the attacker's control.

Note that exploitation of this vulnerability is not achievable in all cases because it requires at least one of the following conditions :

- The attacker can prevent the victim from receiving any e-mail messages for an extended period of time (such as five days).

- The victim's e-mail system sends an auto-response containing the original message.

- The victim manually composes a reply containing the original message.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

There is no official fixed release available from the vendor at this time.

It is possible to mitigate this vulnerability by taking steps to ensure that SERVER_NAME is constructed from a static value. For example, on Apache systems, enable the UseCanonicalName setting within the Apache configuration. This will force PHP to use the configured ServerName directive value instead of relying on the HTTP Host request header, which can be manipulated by an attacker.

See Also

http://www.nessus.org/u?5a4aa4f1

http://www.nessus.org/u?4c466b63

https://core.trac.wordpress.org/ticket/25239

http://www.nessus.org/u?3f6ca2dd

Plugin Details

Severity: Medium

ID: 100028

File Name: wordpress_unauth_pw_reset.nasl

Version: 1.9

Type: remote

Family: CGI abuses

Published: 5/9/2017

Updated: 11/13/2019

Configuration: Enable paranoid mode

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.9

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2017-8295

CVSS v3

Risk Factor: Medium

Base Score: 5.9

Temporal Score: 5.6

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Temporal Vector: CVSS:3.0/E:P/RL:X/RC:C

Vulnerability Information

CPE: cpe:/a:wordpress:wordpress

Required KB Items: installed_sw/WordPress, www/PHP, Settings/ParanoidReport

Exploit Available: true

Exploit Ease: No exploit is required

Vulnerability Publication Date: 5/3/2017

Reference Information

CVE: CVE-2017-8295

BID: 98295