WordPress Host header attack

By
Sooraj V Nair
Published on
26 Apr 2022
1 min read
Vulnerability

WordPress based websites have a vulnerability through which an attacker can hold password reset link without any previous authentication. Using this link, an attacker can gain unauthorised to victim’s WordPress account. When a user requests for a password change, the change password should be sent to that user. The attacker can gain this link from the user due to this vulnerability in WordPress.

Example

The following code creates “from email” header before calling a PHP mail function.

                if ( !isset( $from_email ) ) {
                        // Get the site domain and get rid of www.
                        $sitename = strtolower( $_SERVER['SERVER_NAME'] );
                        if ( substr( $sitename, 0, 4 ) == 'www.' ) {
                                $sitename = substr( $sitename, 4 );
                        }
                
                        $from_email = 'wordpress@' . $sitename;
                }

        

As the SERVER_NAME is a variable, the attacker can set any domain as a sender. He will set his malicious domain as the sender. For using this vulnerability, the attacker will perform prior DoS attack. The attack performs DoS attack by sending few large files to the server to fill the user’s storage quota. This prevents the password reset mail being sent to the user. This mail will be saved in the attacker’s sent mail. He can then access this link to reset the password. The attacker can use another method by which, he sends multiple reset passwords to the victim user. By using this method, he tries to force the victim user to change the password through the link. The attacker can GET the reply and use the reply to access the application. This method requires user interaction.

Impact and Fixes

Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Sooraj V Nair
Sooraj V Nair
Cyber Security Engineer
Experience the Beagle Security platform
Unlock one full penetration test and all Advanced plan features free for 10 days
Find surface-level website security issues in under a minute
Free website security assessment
Experience the power of automated penetration testing & contextual reporting.