CVE-2017-8295

Exploitation Summary

CVE-2017-8295 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 6 public exploits from researchers including Dawid Golunski, cyberheartmi9, alash3al.

AI-analyzed exploit summary This exploit demonstrates a password reset vulnerability in WordPress 4.7 by manipulating the Host header to redirect password reset emails to an attacker-controlled domain. It leverages improper handling of the SERVER_NAME variable to spoof email headers.

Description

WordPress through 4.7.4 relies on the Host HTTP header for a password-reset e-mail message, which makes it easier for remote attackers to reset arbitrary passwords by making a crafted wp-login.php?action=lostpassword request and then arranging for this message to bounce or be resent, leading to transmission of the reset key to a mailbox on an attacker-controlled SMTP server. This is related to problematic use of the SERVER_NAME variable in wp-includes/pluggable.php in conjunction with the PHP mail function. Exploitation is not achievable in all cases because it requires at least one of the following: (1) the attacker can prevent the victim from receiving any e-mail messages for an extended period of time (such as 5 days), (2) the victim's e-mail system sends an autoresponse containing the original message, or (3) the victim manually composes a reply containing the original message.

Exploits (6)

exploitdb WORKING POC

by Dawid Golunski · textwebappslinux

https://www.exploit-db.com/exploits/41963

View Code ZIP pw:eip

This exploit demonstrates a password reset vulnerability in WordPress 4.7 by manipulating the Host header to redirect password reset emails to an attacker-controlled domain. It leverages improper handling of the SERVER_NAME variable to spoof email headers.

Classification

Working Poc 90%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: WordPress 4.7

No auth needed

Prerequisites: WordPress installation accessible via IP-based vhost · Default WordPress configuration

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 20 stars

by cyberheartmi9 · remote

https://github.com/cyberheartmi9/CVE-2017-8295

View Code ZIP pw:eip

This PoC exploits CVE-2017-8295, a WordPress password reset vulnerability where the Host header is used to manipulate the password reset email destination. The script sends crafted requests to multiple WordPress sites to trigger password reset emails to an attacker-controlled domain.

Classification

Working Poc 90%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: WordPress (versions affected by CVE-2017-8295)

No auth needed

Prerequisites: List of target WordPress sites · Attacker-controlled domain to receive password reset emails

MITRE ATT&CK

T1110.001 - Password Guessing T1557.001 - LLMNR/NBT-NS Poisoning and SMB Relay

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WRITEUP 2 stars

by alash3al · poc

https://github.com/alash3al/wp-allowed-hosts

View Code ZIP pw:eip

This repository provides a WordPress plugin designed to mitigate the CVE-2017-8295 vulnerability by restricting allowed hostnames. It includes installation and usage instructions but does not contain exploit code.

Classification

Writeup 100%

Attack Type

Other

Complexity

Trivial

Reliability

Theoretical

Target: WordPress (unspecified version)

No auth needed

Prerequisites: WordPress installation · Ability to modify wp-config.php

devstral-2 · analyzed Feb 16, 2026 Full analysis →

github WORKING POC 1 stars

by vaishakhcv · perlpoc

https://github.com/vaishakhcv/CVE-exploits/tree/master/CVE-2017-8295

View Code ZIP pw:eip

This repository contains a functional Perl exploit for CVE-2017-8295, which targets WordPress versions prior to 4.7.4. The exploit manipulates the Host HTTP header to redirect password reset emails to an attacker-controlled domain, allowing unauthorized password resets.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: WordPress < 4.7.4

No auth needed

Prerequisites: attacker-controlled domain · victim's email system must either bounce, autorespond, or manually reply with the original message

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed Feb 27, 2026 Full analysis →

github WORKING POC

by winterwolf32 · perlpoc

https://github.com/winterwolf32/CVE_Exploits-/tree/master/CVE-2017-8295

View Code ZIP pw:eip

This repository contains a functional Perl exploit for CVE-2017-8295, which leverages the Host HTTP header to manipulate WordPress password reset emails. The exploit sends a crafted request to trigger a password reset email to an attacker-controlled domain.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: WordPress < 4.7.4

No auth needed

Prerequisites: attacker-controlled domain for email interception

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed Feb 27, 2026 Full analysis →

nomisec WRITEUP

by homjxi0e · poc

https://github.com/homjxi0e/CVE-2017-8295-WordPress-4.7.4---Unauthorized-Password-Reset

View Code ZIP pw:eip

This repository contains a writeup describing CVE-2017-8295, an unauthorized password reset vulnerability in WordPress 4.7.4. The vulnerability allows attackers to obtain password reset links without authentication, potentially leading to account compromise.

Classification

Writeup 90%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: WordPress 4.7.4

No auth needed

Prerequisites: Access to the WordPress password reset functionality

MITRE ATT&CK