Password-reset flaw haunts WordPress admins

Researchers are sounding the alarm for a serious administrator password-reset vulnerability affecting the latest version of WordPress, the popular open-source blog publishing platform.The flaw, which can be exploited via the browser, gives an attacker a trivial way to compromise the admin account of any WordPress of WordPress MU (multiple user) installation.

Researchers are sounding the alarm for a serious administrator password-reset vulnerability affecting the latest version of WordPress, the popular open-source blog publishing platform.

The flaw, which can be exploited via the browser, gives an attacker a trivial way to compromise the admin account of any WordPress of WordPress MU (multiple user) installation.

Proof-of-concept code demonstrating the problem is publicly available. A patch is currently being prepared for release soon.

Swa Frantzen, an incident handler at the SANS Internet Storm Center has a detailed explanation of the problem.

UPDATE (August 12, 2009): WordPress has shipped a fix for this "very annoying" problem.