- Plesk for Windows
- Plesk for Linux
SERVER_NAME variable to get the hostname to create a From/Return-Path header for the password reset email. An attacker can make WordPress sent "Password Reset" email with
From header forged by the attacker.
A Plesk website is affected if ALL of the following is true:
- WordPress (any version, including the before 4.7.4) is hosted.
- The site is Default site for some IP address.
- The site is served by Apache or IIS (websites served by nginx are not affected).
If a WordPress site is hosted in Plesk environment, an attacker cannot forge
Return-Path header because Plesk mail system changes this header for outgoing email messages.
An attacker can initiate password reset of the WordPress account by email with From header forged by the attacker. In some cases such email can be intercepted and the account can be compromised. The affected scenarios are the following:
- Some auto-responders might attach a copy of the email sent in the body of the auto-replied message.
Note: Auto-responder set in Plesk do not send a body of the email.
- The attacker can convince the user to reply to the email, for example by sending multiple password reset emails. The reply containing the password reset link would then be sent to the attacker. We strongly advise not to answer on such emails.
Update WordPress at least to version 4.7.12 using this artile