WordPress Flaws and Vulnerabilities

WordPress 4.7.4 Unauthorized Password Reset Vulnerability (0-Day)

Blog WordPress Flaws and Vulnerabilities WordPress 4.7.4 Unauthorized Password Reset Vulnerability (0-Day)
0 comments

Since days, WordPress has a password reset feature allowing any user to ask for a new password. This feature contains a vulnerability which might allow an attacker to get the password reset link without even being authenticated.

This kind of attack could lead to an unauthorized access on the victim’s WordPress account.

The Vulnerability

By default, WordPress is using an untrusted data to create a password reset link. That is supposed to be delivered only to the email address associated with the owner’s account.

If the From email header is not present WordPress will use the server one. See wp-includes/pluggable.php


if ( !isset( $from_email ) ) {
// Get the site domain and get rid of www.
$sitename = strtolower( $_SERVER['SERVER_NAME'] );
if ( substr( $sitename, 0, 4 ) == 'www.' ) {
$sitename = substr( $sitename, 4 );
}

$from_email = 'wordpress@' . $sitename;
}
wp-includes/pluggable.php

An attacker can use the SERVER_NAME variable to trick WordPress, and this could allow the attacker to intercept the email containing the password reset link.

Vulnerability DREAD Rating Score

  • Damage – how bad would an attack be?
    • 3/5: Once the admin password reset, you have admin access to the site, not the files/FTP, server.
  • Reproducibility – how easy is it to reproduce the attack?
    • 0/5: Very very hard, depends on mail server settings etc
  • Exploitability – how much work is it to launch the attack?
    • 1/5: SO much work and luck.
  • Affected users – how many people will be impacted?
    • 4/5: Every user, not visitors directly.
  • Discoverability – how easy is it to discover the threat?
    • 2/5: If you’re running a WordPress 4.7.4 or less. That’s it.
  • Final DREAD Score
    • 2 – Low

What’s About a Protection?

Usually, when a WordPress vulnerability is discovered, the researcher won’t disclose the flaw until a patch has been release plus one week. But … Dawid Golunski (@dawid_golunski) already reported this issue to WordPress security team multiple times, with the first report sent back in July 2016. So, it’s time to disclose it.

Czar Aaron Campbell from the security team already knows that and its DREAD score. This is why it has not been prioritized yet. He says that a bad set server is needed to exploit and even on his local test, he couldn’t exploit it.

More, you need at least one of these actions:

  • a user needs to reply to a password reset email,
  • an auto-reply needs to reply to the E-Mail and include the original,
  • an E-Mail server has to be compromised or overloaded and the message returned to sender with content intact.

Mini Plugin

You just need a few code lines to protect you:

add_filter( 'wp_mail_from', 'baw_fix_wp_474_mail_reset_vulnerability' );
function baw_fix_wp_474_mail_reset_vulnerability( $from_email ) {
	return 'wordpress@example.com';
}
gistfile1.txt view raw

But, the vulnerability is not an easy-to-exploit so, dont stress too much.

 

About Julio Potier All of Julio Potier's posts

Creator of SecuPress and the LearnWPSecurity Training, Julio is also lead organisator of WordCamp Lille.
Compulsive speaker, Senior Trainer and WordPress Engineer, he's a specialist in security since 2002 and contribute to WordPress various ways.

This might interest you too

0 comments