Launchpad.net

CVE 2017-8295

WordPress through 4.7.4 relies on the Host HTTP header for a password-reset e-mail message, which makes it easier for remote attackers to reset arbitrary passwords by making a crafted wp-login.php?action=lostpassword request and then arranging for this message to bounce or be resent, leading to transmission of the reset key to a mailbox on an attacker-controlled SMTP server. This is related to problematic use of the SERVER_NAME variable in wp-includes/pluggable.php in conjunction with the PHP mail function. Exploitation is not achievable in all cases because it requires at least one of the following: (1) the attacker can prevent the victim from receiving any e-mail messages for an extended period of time (such as 5 days), (2) the victim's e-mail system sends an autoresponse containing the original message, or (3) the victim manually composes a reply containing the original message.

Related bugs and status

CVE-2017-8295 (Candidate) is related to these bugs:

Bug #1691520: Wordpress May 2017 security updates

		In	Importance	Status
1691520	Wordpress May 2017 security updates	wordpress (Ubuntu)	High	Expired
1691520	Wordpress May 2017 security updates	wordpress (Ubuntu Zesty)	High	Expired
1691520	Wordpress May 2017 security updates	wordpress (Ubuntu Yakkety)	High	Expired
1691520	Wordpress May 2017 security updates	wordpress (Ubuntu Xenial)	High	Expired

See the

CVE page on Mitre.org for more details.

References

EXPLOIT-DB: 41963
MISC: https://exploitbox.io/...
BID: 98295
SECTRACK: 1038403
MISC: https://wpvulndb.com/v...
DEBIAN: DSA-3870