Exploitbox: WordPress Unauthorized Password Reset Vulnerability

On the Exploitbox site Dawid Golunski shares a 0 day vulnerability in the WordPress core affecting all versions:

The vulnerability stems from WordPress using untrusted data by default when creating a password reset e-mail that is supposed to be delivered only to the e-mail associated with the owner’s account.

They include the following code sample from the core:

------[ wp-includes/pluggable.php ]------

...

if ( !isset( $from_email ) ) {
        // Get the site domain and get rid of www.
        $sitename = strtolower( $_SERVER['SERVER_NAME'] );
        if ( substr( $sitename, 0, 4 ) == 'www.' ) {
                $sitename = substr( $sitename, 4 );
        }

        $from_email = 'wordpress@' . $sitename;
}

Because SERVER_NAME can be modified, an attacker could set it to an arbitrary domain of his choice e.g: “attackers-mxserver.com” which would result in WordPress setting the $from_email to “[email protected]” and thus result in an outgoing email with From/Return-Path set to this malicious address.

If you are running Apache, you can patch this yourself by adjusting the UseCanonicalName Directive or ensuring the from_email is always set.

On the Dewhurst Security Blog they outline what it takes to be vulnerable:

From what we can see, this vulnerability can only be exploited against the default virtual host. The virtual host (domain) the web server will default to. You are vulnerable if your domain running WordPress is the only domain on the server, or, if your domain is the default one. That coupled with the exploitation requirement for the victim to somehow respond to the email, we believe it is pretty unlikely that this will be a major issue affecting WordPress users. Nevertheless, under the correct circumstances, there is a risk here.

For more information, you can read CVE-2017-8295 here and I’m sure a WordPress core update will be out soon.

Update: May 5, 2017WP Tavern has an article covering this vulnerability with a code fix that you can add to a plugin:

add_filter( 'wp_mail_from', function( $from_email ) { return [email protected]'; } );