Unpatched WordPress Vulnerability Demeans Administrator’s Privileges

WordPress is a widely-used content management system (CMS) that supports about 30% of the entire websites in the globe.
According to The Hacker News, an experienced vulnerability tester, Dawid Golunski from Legal Hackers, recently exposed a critical unpatched loophole in the WordPress platform that enables a hacker to reconfigure a victim’s admin password under certain situations.

This security flaw lies in the technique WordPress employs to allow users obtain new passwords for their administrative accounts. If a user wants to get a new password by means of the “forgot password feature”, WordPress will send an email with a confidential code for completing the resetting process.

When conveying the email to a legitimate recipient, WordPress includes a variable named SERVER_NAME to retrieve the hostname of the server for determining the “From” as well as “Return-Path” parameters.
However, since the SERVER_NAME can be altered, a hacker could reset the parameters to point to a destination of his or her choice—and therefore gain unauthorized entry to the site’s back-end.
This way, the hacker can seize the email having the confidential code, reconfigure a victim’s password, and enjoy unauthorized administrative privileges on their online property.

The WordPress team was informed of this logical security loophole around mid-2016. However, they have not issued patches to correct the flaw, potentially making millions of online properties susceptible to this type of attack.

Since WordPress has not issued any official resolution to this weakness, website administrators can limit its occurrence by updating their server configuration to allow UseCanonicalName obligate invariable/predetermined SERVER_NAME parameters.

Rad the full article here.

Comments are closed.