edit-icon download-icon

[Vulnerability notice] CVE-2017-8295: Password reset vulnerability in WordPress Core 4.7.4 and earlier versions

Last Updated: Apr 13, 2018

On May 3, 2017, the open-source CMS software WordPress was revealed to have a password reset vulnerability. The vulnerability affects all versions of WordPress and may cause data leakage.

See the following for more information about the vulnerability.


CVE identifier

CVE-2017-8295

Vulnerability name

Password reset vulnerability in WordPress Core 4.7.4 and earlier versions

Vulnerability rating

High

Vulnerability description

The WordPress password reset vulnerability allows an attacker to directly obtain the password reset link without authentication in some cases. The attacker may obtain unauthorized access to WordPress accounts, resulting in data leakage.

Condition and method of exploitation

Remote exploitation

Affected scope

WordPress Core <= 4.7.4

How to fix or mitigate

Follow up the latest official version of WordPress, and upgrade WordPress in a timely manner.

Reference

[1]. https://w3techs.com/technologies/details/cm-wordpress/all/all
[2]. https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html

Thank you! We've received your feedback.