Security News > 2017 > May > Unpatched Wordpress Flaw Could Allow Hackers To Reset Admin Password (The Hackers News)
2017-05-04 11:11
WordPress, the most popular CMS in the world, is vulnerable to a logical vulnerability that could allow a remote attacker to reset targeted users’ password under certain circumstances. The vulnerability (CVE-2017-8295) becomes even more dangerous after knowing that it affects all versions of WordPress — including the latest 4.7.4 version. The WordPress flaw was discovered by Polish security
News URL
http://feedproxy.google.com/~r/TheHackersNews/~3/1iBmSmNIZ44/hacking-wordpress-blog-admin.html
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2017-05-04 | CVE-2017-8295 | Weak Password Recovery Mechanism for Forgotten Password vulnerability in Wordpress WordPress through 4.7.4 relies on the Host HTTP header for a password-reset e-mail message, which makes it easier for remote attackers to reset arbitrary passwords by making a crafted wp-login.php?action=lostpassword request and then arranging for this message to bounce or be resent, leading to transmission of the reset key to a mailbox on an attacker-controlled SMTP server. | 4.3 |