Security News > 2017 > May > Unpatched Wordpress Flaw Could Allow Hackers To Reset Admin Password (The Hackers News)

Unpatched Wordpress Flaw Could Allow Hackers To Reset Admin Password (The Hackers News)
2017-05-04 11:11

WordPress, the most popular CMS in the world, is vulnerable to a logical vulnerability that could allow a remote attacker to reset targeted users’ password under certain circumstances. The vulnerability (CVE-2017-8295) becomes even more dangerous after knowing that it affects all versions of WordPress — including the latest 4.7.4 version. The WordPress flaw was discovered by Polish security


News URL

http://feedproxy.google.com/~r/TheHackersNews/~3/1iBmSmNIZ44/hacking-wordpress-blog-admin.html

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2017-05-04 CVE-2017-8295 Weak Password Recovery Mechanism for Forgotten Password vulnerability in Wordpress
WordPress through 4.7.4 relies on the Host HTTP header for a password-reset e-mail message, which makes it easier for remote attackers to reset arbitrary passwords by making a crafted wp-login.php?action=lostpassword request and then arranging for this message to bounce or be resent, leading to transmission of the reset key to a mailbox on an attacker-controlled SMTP server.
network
high complexity
wordpress CWE-640
5.9

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Wordpress 7 2 93 44 18 157