Security Haiku: ExploitBox’s CVE-2017-8295
Return to sender
sending to the wrong domain
read from HOST header.
There was a recently released authentication bypass vulnerability that affects WordPress before and including 4.7.4, with specific server configurations. The attack requires a request to a WordPress site via it’s IP address, while the attacker sets the HTTP request header to their own HOST value. Pagely does not allow direct access to WordPress sites via IP address and requires the HOST field sent in the headers to be the actual site being requested, thus a request with a HOST value controlled by an attacker will not be directed to a WordPress installation at Pagely.
Pagely hosted sites
are not affected by this
For more details on the vulnerability and how it works, please read: