0-day bug in WordPress 4.7.4 & does it dangerous?

I bet you were announced about 0-day bug in WordPress 4.7.4 (CVE-2017-8295) - that may allow hacker take over administrator's password - by reset admin's password without email access permission.

For more details about this vulnerable, please visit here: https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html

In this post, I will let you know how does it danger and are you in threat because of this vulnerable. Then you will know how to handle it...

======= 0-day bug in WordPress 4.7.4 ======= 0-day bug in WordPress 4.7.4 ======= 0-day bug in WordPress 4.7.4  =======

Attack method

Follow to the ExplotItBox, first, hacker will send a HTTP request to your website through IP address - that means - your website must be able to access with IP address. If you're using shared hosting with latest version of cPanel, then you're fine with this. cPanel soon has patched it up on Linux, and cPanel shared hosting will no longer able to access through IP address anymore.

-----[ HTTP Request ]----

POST /wp/wordpress/wp-login.php?action=lostpassword HTTP/1.1
Host: injected-attackers-mxserver.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 56

In about request, hacker has stick his email server address on, and on APache, SERVER_NAME will be replaced automatically with HOST value in this request - that is hacker's email server address.

At this time, administrator will receive email like this:

Subject: [CompanyX WP] Password Reset
Return-Path: <wordpress@attackers-mxserver.com>
From: WordPress <wordpress@attackers-mxserver.com>
Message-ID: <e6fd614c5dd8a1c604df2a732eb7b016@attackers-mxserver.com>
X-Priority: 3
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Someone requested that the password be reset for the following account:


Username: admin

If this was a mistake, just ignore this email and nothing will happen.

To reset your password, visit the following address:


You see that Return-Path contained the value that WordPress automatically put on SERVER_NAME value, that is wordpress@hacker-email-server-address.ltd and even Message-ID also contained an address of hacker.

That's clear. If system or user imprudence reply to thí email, hacker will receive the content of the email that include password reset key of administrator. So, we have 3 possibilities in the list below:

  • Some email of administrator has auto-reply function - with quote of received content.
  • Hacker will flood email server to make it loose ability to send & reply email.
  • Administrator use 3rd party email service like Gmail. Hacker must send a huge amount of requests then make provider deny hacker's server address, and then email no longer can send and reply email.

======= 0-day bug in WordPress 4.7.4 ======= 0-day bug in WordPress 4.7.4 ======= 0-day bug in WordPress 4.7.4  =======

So. does it put you in danger?

This is a serious vulnerable, and you could be in trouble if:

  • You're using Apache web server and able to access your site through server's IP (means you did not create virtualhost).
  • The hacker knows what is username of administrator
  • The wp-login.php file is able to direct access. Some plugins could hide the log-in link like iTheme Security will automatically block direct access to this file.
  • Administrator use email with the same host server could be count in. But if you use Gmail or another email service, a very big of emails amount at a same time may let its provider blocks a sender.

So, if you want to stay out of this trouble, simple install Disable Password Reset plugin to prevent this happen. Otherwise, this bug may not too dangerous like everybody says. Another recommendation is just keep your WordPress always up-to-date, the community will never let a bug stay for too long.


======= 0-day bug in WordPress 4.7.4 ======= 0-day bug in WordPress 4.7.4 ======= 0-day bug in WordPress 4.7.4  =======