WordPress through 4.7.4 relies on the Host HTTP header for a password-reset
e-mail message, which makes it easier for remote attackers to reset
arbitrary passwords by making a crafted wp-login.php?action=lostpassword
request and then arranging for this message to bounce or be resent, leading
to transmission of the reset key to a mailbox on an attacker-controlled
SMTP server. This is related to problematic use of the SERVER_NAME variable
in wp-includes/pluggable.php in conjunction with the PHP mail function.
Exploitation is not achievable in all cases because it requires at least
one of the following: (1) the attacker can prevent the victim from
receiving any e-mail messages for an extended period of time (such as 5
days), (2) the victim's e-mail system sends an autoresponse containing the
original message, or (3) the victim manually composes a reply containing
the original message.
Upstream:released (4.7.5+dfsg-2)
Ubuntu 12.04 ESM (Precise Pangolin):DNE (precise was needs-triage)
Ubuntu 14.04 ESM (Trusty Tahr):DNE (trusty was needed)
Ubuntu 16.04 LTS (Xenial Xerus):needed
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (4.9.5+dfsg1-1)
Ubuntu 20.04 LTS (Focal Fossa):not-affected (4.9.5+dfsg1-1)
Ubuntu 20.10 (Groovy Gorilla):not-affected (4.9.5+dfsg1-1)
More Information

Updated: 2020-09-09 21:38:41 UTC (commit b67d7d8b03f173f825cd706df5bd078bca500b0e)