On certain server setups, WordPress is vulnerable to an email interception attack. Basically WP uses the
$_SERVER['SERVER_NAME'] variable for the “From” header in email notifications. On certain systems this can be exploited by an attacker to gain access to your site. This issue has been known about since WP 2.3, but nothing has been done about it. So I decided to write a plugin to fix it up.