WordPress Host header attack

OWASP 2013-A9 OWASP 2017-A9 OWASP 2021-A6 WASC-24 CWE-20 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N WSTG-INPV-17

WordPress based websites have a vulnerability through which an attacker can hold password reset link without any previous authentication. Using this link, an attacker can gain unauthorised to victim’s WordPress account. When a user requests for a password change, the change password should be sent to that user. The attacker can gain this link from the user due to this vulnerability in WordPress.


The following code creates “from email” header before calling a PHP mail function.

                if ( !isset( $from_email ) ) {
                        // Get the site domain and get rid of www.
                        $sitename = strtolower( $_SERVER['SERVER_NAME'] );
                        if ( substr( $sitename, 0, 4 ) == 'www.' ) {
                                $sitename = substr( $sitename, 4 );
                        $from_email = 'wordpress@' . $sitename;


As the SERVER_NAME is a variable, the attacker can set any domain as a sender. He will set his malicious domain as the sender. For using this vulnerability, the attacker will perform prior DoS attack. The attack performs DoS attack by sending few large files to the server to fill the user’s storage quota. This prevents the password reset mail being sent to the user. This mail will be saved in the attacker’s sent mail. He can then access this link to reset the password. The attacker can use another method by which, he sends multiple reset passwords to the victim user. By using this method, he tries to force the victim user to change the password through the link. The attacker can GET the reply and use the reply to access the application. This method requires user interaction.

Impact and Fixes

Latest Articles