Contact your web developer or provider managing your website to make sure you website is safe against the CVE-2017-8295 WordPress vulnerability.

All versions of WordPress including the current version (4.7.4) may be susceptible to the CVE-2017-8295 security risk, which allows an individual to reset local WordPress user accounts remotely. While the security risk was initially discovered nearly a year ago, there are many websites that may still be vulnerable.

Below is an official response from the WordPress team:

“This issue has been reported to WordPress security team multiple times with the first report sent back in July 2016. It was reported both directly via security contact email, as well as via HackerOne website,” Golunski wrote in an advisory published today. “As there has been no progress, in this case, this advisory is finally released to the public without an official patch.”

While in its basic explanation the issue lies in the way the popular Content Management System processes password resets for users, allowing a unique security code to be sent to the email user ID when clicking the forgot password link. While there isn’t a patch currently available, it is advised that Admins and Developers update their server configurations by enabling the UseCanonicalName to enforce static/predefined SERVER_NAME value.

More information can be found from the reference information below:

Reference


Kumar, M. (2017). Unpatched WordPress Flaw Could Allow Hackers To Reset Admin Password. The Hacker News. Retrieved 8 May 2017, from http://thehackernews.com/2017/05/hacking-wordpress-blog-admin.html