This week an unpatched vulnerability in WordPress was disclosed by security researcher Dawid Golunski that could potentially allow an attacker to reset admin passwords. This vulnerability impacts most versions of WordPress, including the current release 4.7.4.

This vulnerability allows an attacker to target accounts on WordPress websites by altering the “from” address and return path of the password reset emails that WordPress sends as part of its account recovery options for legitimate users by manipulating the mechanisms behind the feature. To be clear the password reset email is not directly sent to the attacker. It is initially only sent to the WordPress user being targeted.

How Does It Work?

This vulnerability relies on two actions. First on successfully manipulating one of the variables used in the password reset functionality of WordPress that defines the sender address of the password reset email generated by the feature. Second it relies on a response from the recipient address that contains the original text from the password reset email. In these cases the original email body may be contained in the response, which after successfully manipulating the aforementioned sender argument, the reply will actually be sent to the attacker instead of the WordPress website.

The function that creates the password reset email uses the value of $_SERVER[‘SERVER_NAME’], however this variable can be changed by sending a different host header when accessing the site depending on the host server’s configuration. In performing this manipulation, the attacker can change the from address and the return path for the email to their own email.

To further clarify, the password reset email is not sent directly to the attacker from the site. This attack relies on the password reset email content being reflected in an email response from the targeted user. There are a few scenarios where this is likely to occur.

  1. If the targeted user replies to the password reset email and includes the original email content in their reply.
  2. If the email server for the targeted user is down, the address no longer exists or otherwise invalid, or any scenario that would cause a bounceback (failure notice) to be sent to the sender.
  3. If a vacation auto-responder is used that includes the original email content.

Am I Protected?

SiteLock customers using SiteLock TrueShield Web Application Firewall (WAF) are protected from this vulnerability. Also if your hosting server configuration is set to protect against modification of the $_SERVER[‘SERVER_NAME’] variable to be altered then you are protected as well. We suggest contacting your hosting provider to verify these details. If your current environment is not set to protect against this vector, we recommend setting up a WAF such as SiteLock TrueShield that protects against attacks of this type.