Understanding the Current 'Password Reset' Vulnerability Exposed in WordPress

A large percentage of site owners use WordPress to power their sites.  One of the side benefits of this aspect is that security researchers/testers spend quite a bit of time looking for exploits and vulnerabilities in WordPress.  Most of the times, when a vulnerability is discovered, it is patched relatively quickly, and the WordPress update fixes that vulnerability.  But there are occasions when groups differ on the level of vulnerability of a discovered exploit.  This is what has happened recently.  The summary is:

• Dawid Golunski discovered a method of resetting an Administrator's WordPress password through a 'password reset' email exploit.
• The Core WordPress Security team didn't feel it was a priority at that moment.
• The exploit has now been made public.
• A patch/fix is now in the process of being released.

What is going on?

Why is it that the Core WordPress Security team didn't feel this exploit was a priority at the time the exploit was shared privately?  While I can't read minds, I can surmise that because of all the unique factors that would be required to take advantage of the vulnerability, the patch was not a priority.  So what is needed to be done to exploit this particular WordPress vulnerability? (No, I'm not going to show you how to hack WordPress, but rather demonstrate the extraordinary steps that would have to be taken to exploit the vulnerability.)

• The exploit would require the hacker to spoof an HTTP request using a custom hostname while attempting to reset a password.
• Then it would require the receiver of the email to REPLY to the password reset email. (slim chance)
• Or the "hacker" could attempt to bring down the receiver of the email's email server to force a bounce-back that would hopefully come back to a spoofed hostname.
• This exploit would also require a (poorly configured) server that allows for modifying hostnames; which most hosts do not allow.
• Plus, this exploit would require a site not be using a separate SMTP plugin where sending transactional emails, like the password reset request, are locked down to predefined settings.

So as you can see, it indeed would take a long shot AND require many ducks in a row to successfully exploit the vulnerability.

But here is the impressive part.  Once the vulnerability was publically exposed, the greater WordPress development community had a patch ready.   So expect a security release update for WordPress soon and in the meantime, don't be too frightened of the "sky is falling" doomsday people on Twitter saying this hack is the downfall of WordPress.

Side Note: I have also released an update for my SMTP Studio plugin that is available to WPStudio members to deal with this issue.  Members can download a new version of SMTP Studio in their Account area or click on the update in their respective WordPress sites.