Released publicly last April, the CVE-2017-8295 is an unpatched Wordpress exploit (0day) that works on every version of the famous CMS until the last 4.8.3 (4.9 is under the hood too) release. This vulnerability consist in a host header injection when triggering the password reset function.