Zero-day WordPress vulnerability could expose password reset emails

WordPress is vulnerable to a zero-day exploit that could allow hackers to reset users’ passwords and gain access to their accounts.

The vulnerability was discovered by Dawid Golunski, who said he first reported the issue to WordPress last July. Although the company reportedly said it was working on a fix, no patch was released. This led to Golunski going public with the vulnerability last week.

Flaw in password reset emails

The flaw is in how WordPress sites put together password reset emails. Golunski showed that WordPress uses a variable, SERVER_NAME, to get the hostname to create a From/Return-Path header for the password reset email. Because that variable can be customised, an attacker can insert any domain name they like.

At first glance, this would only achieve the ability to send a password reset email to the right owner but from the wrong address. However, Golunski explains a few scenarios in which the attacker would be able to access the site owner’s information. For instance, the attacker could:

  • Prevent the email from arriving in the victim’s inbox. This would be possible by flooding the victim with spam until their inbox is full or by performing a denial-of-service attack. In both cases, the message would bounce back to its sender, the attacker’s email address, and the attacker would therefore have access to the password reset link.
  • Exploit auto-response emails, which sometimes attach a copy of the original message. This would be particularly dangerous for business-affiliated WordPress sites, as auto-responders are often set up if an employee is on holiday or otherwise away from work duties.
  • Prompt the victim to reply by sending follow-up messages. The attacker could send a message that said, for example, “Someone requested a password reset for the following account”. They could then include the malicious password link for users who decide to change their password.

Given the publicity of this flaw, users can expect WordPress to release a patch in the near future. WordPress provides security updates on the dashboards of its blogs, but it’s also worth keeping an eye out for news on patches and updates.

Patch management

Installing patches and updates when they’re available is one of the most effective ways of staying cyber secure. Indeed, patch management is one of the five key controls of Cyber Essentials, a government-backed security scheme that sets out the baseline of suitable cyber security measures for organisations in all sectors.

When implemented correctly, Cyber Essentials can prevent around 80% of cyber attacks.

To help companies adopt the scheme, IT Governance has designed three packaged solutions. Our unique online service supports organisations in certifying to Cyber Essentials or Cyber Essentials Plus at a pace and budget that suits them.

Find out more about Cyber Essentials and how you can certify >>