Since days, WordPress has a password reset feature allowing any user to ask for a new password. This feature contains a vulnerability which might allow an attacker to get the password reset link without even being authenticated.
This kind of attack could lead to an unauthorized access on the victim’s WordPress account.
By default, WordPress is using an untrusted data to create a password reset link. That is supposed to be delivered only to the email address associated with the owner’s account.
If the From email header is not present WordPress will use the server one. See
[pastacode lang=”php” manual=”%0Aif%20(%20!isset(%20%24from_email%20)%20)%20%7B%0A%2F%2F%20Get%20the%20site%20domain%20and%20get%20rid%20of%20www.%0A%24sitename%20%3D%20strtolower(%20%24_SERVER%5B’SERVER_NAME’%5D%20)%3B%0Aif%20(%20substr(%20%24sitename%2C%200%2C%204%20)%20%3D%3D%20’www.’%20)%20%7B%0A%24sitename%20%3D%20substr(%20%24sitename%2C%204%20)%3B%0A%7D%0A%0A%24from_email%20%3D%20’wordpress%40’%20.%20%24sitename%3B%0A%7D” message=”wp-includes/pluggable.php” highlight=”” provider=”manual”/]
An attacker can use the
SERVER_NAME variable to trick WordPress, and this could allow the attacker to intercept the email containing the password reset link.
Vulnerability DREAD Rating Score
- Damage – how bad would an attack be?
- 3/5: Once the admin password reset, you have admin access to the site, not the files/FTP, server.
- Reproducibility – how easy is it to reproduce the attack?
- 0/5: Very very hard, depends on mail server settings etc
- Exploitability – how much work is it to launch the attack?
- 1/5: SO much work and luck.
- Affected users – how many people will be impacted?
- 4/5: Every user, not visitors directly.
- Discoverability – how easy is it to discover the threat?
- 2/5: If you’re running a WordPress 4.7.4 or less. That’s it.
- Final DREAD Score
- 2 – Low
What’s About a Protection?
Usually, when a WordPress vulnerability is discovered, the researcher won’t disclose the flaw until a patch has been release plus one week. But … Dawid Golunski (@dawid_golunski) already reported this issue to WordPress security team multiple times, with the first report sent back in July 2016. So, it’s time to disclose it.
Czar Aaron Campbell from the security team already knows that and its DREAD score. This is why it has not been prioritized yet. He says that a bad set server is needed to exploit and even on his local test, he couldn’t exploit it.
More, you need at least one of these actions:
- a user needs to reply to a password reset email,
- an auto-reply needs to reply to the E-Mail and include the original,
- an E-Mail server has to be compromised or overloaded and the message returned to sender with content intact.
You just need a few code lines to protect you:
[pastacode lang=”php” path_id=”756f6873d6231133fc756095c8295a58″ file=”patch-wp474-reset-mail.php” highlight=”” lines=”” provider=”gist”/]
But, the vulnerability is not an easy-to-exploit so, dont stress too much.