Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2017-8295 PoC — WordPress 安全漏洞

Source
https://github.com/alash3al/wp-allowed-hosts
Associated Vulnerability
Title:WordPress 安全漏洞 (CVE-2017-8295)
Description:WordPress through 4.7.4 relies on the Host HTTP header for a password-reset e-mail message, which makes it easier for remote attackers to reset arbitrary passwords by making a crafted wp-login.php?action=lostpassword request and then arranging for this message to bounce or be resent, leading to transmission of the reset key to a mailbox on an attacker-controlled SMTP server. This is related to problematic use of the SERVER_NAME variable in wp-includes/pluggable.php in conjunction with the PHP mail function. Exploitation is not achievable in all cases because it requires at least one of the following: (1) the attacker can prevent the victim from receiving any e-mail messages for an extended period of time (such as 5 days), (2) the victim's e-mail system sends an autoresponse containing the original message, or (3) the victim manually composes a reply containing the original message.
Description
a plugin that protects your wp site from the CVE-2017-8295 vulnerability
Readme
# WP Allowed Hosts
This plugin has been created after the vulnerability known as `CVE-2017-8295` has been disclosed, 
this plugin will protect you from that attack with no hassle, just add simple line to your `wp-config.php` .

# Installation
Just download the plugin from [here](https://github.com/alash3al/wp-allowed-hosts/archive/master.zip) and upload it to your site .

# Usage
Just add the following line to your `wp-config.php`
```php
// WP Allowed Hosts Plugin
define( 'WP_ALLOWED_HOSTS', 'mysit.com' );
```

You can also add multiple domains .
```php
// WP Allowed Hosts Plugin
define( 'WP_ALLOWED_HOSTS', 'site1.com,site2.com' );
```
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →