Vulnerability found: WordPress 2.3-4.8.2 – Host Header Injection in Pass Reset

I came to ask the same.
I got two “Vulnerability found: WordPress 2.3-4.8.2 – Host Header Injection in Password Reset” warnings. Both are same.
Should I be worried?
Plugin does not give any option about what to do?
Regards

As far as I can see, this vulnerability exists in the current 4.8.2 version of WordPress and no official patch exists, as yet. Will follow-up if and when I find out more information.

I came for the same reason. Please, if you find a solution, let us know. Thanks.

Hi,

I deactivated the plugin temporarily to avoid receiving daily notifications for this vulnerability from all my sites.

I’ll reactivate it when this issue is fixed.

Best regards,
Sonia.

Yes, unfortunately disabling the plugin is the only option at the moment if you want to mute those notifications. Hopefully WordPress will release an updated fixed version soon.

Any update on a fix for this?

BTW, shutting off the vulnerability plug-in so you stop getting the alerts is the equivalent killing all power to your smoke alarms. Not a good thing to do. A Fortune 50 co. that I worked for back in the ’90s had a huge DC failure because some workers (present company not included) silenced a physical alarm instead of fixing the issue that was causing the alarm.

Never mind, found it: https://latesthackingnews.com/2017/05/05/millions-of-websites-at-risk-as-wordpress-high-level-security-flaw-discovered/

• This reply was modified 7 years, 1 month ago by kkoch3.

Hello, since 2 weeks I have this error of the WordPress sites that I create. Is it possible to have solution ?

Vulnerability found: WordPress 2.3-4.8.2 – Host Header Injection in Password Reset

Thank you

Is it possible to create an update to set this error please!

This error has existed for several weeks, come back with a solution or an explanation! Thank you for your help

The vulnerability is genuine. More details can be found here:

https://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html

Given that no official fix has been forthcoming from WordPress, I am planning to release an update that will allow you to ignore this error if you have manually fixed the problem on your server.

Thank you for your patience,

Glen

• This reply was modified 7 years ago by Glen Scott.

Version 1.5.1 of the plugin has a new setting that allows you to ignore the “WordPress 2.3-4.8.3 – Host Header Injection in Password Reset” after you have manually verified that your web host is not vulnerable.

Hi @glen_scott
Thanks for adding this new option but I can’t find it.
Where is it? I’ve already updated your plugin.
Best regards

The setting can be found under Settings -> General (see screenshot)

View post on imgur.com

Perfect. Many thanks!

I unchecked the box to opt-out of this detection and upgraded to 4.9. I then ran the scanner and it didn’t detect it. Has this been fixed in 4.9?

It is not currently listed as a vulnerability in 4.9:

https://wpvulndb.com/wordpresses

This means that either WordPress has fixed the issue or the vulnerability database has not yet been updated.