Tech
Password-reset flaw haunts WordPress admins
Researchers are sounding the alarm for a serious administrator password-reset vulnerability affecting the latest version of WordPress, the popular open-source blog publishing platform.The flaw, which can be exploited via the browser, gives an attacker a trivial way to compromise the admin account of any WordPress of WordPress MU (multiple user) installation.
Researchers are sounding the alarm for a serious administrator password-reset vulnerability affecting the latest version of WordPress, the popular open-source blog publishing platform.
The flaw, which can be exploited via the browser, gives an attacker a trivial way to compromise the admin account of any WordPress of WordPress MU (multiple user) installation.
Proof-of-concept code demonstrating the problem is publicly available. A patch is currently being prepared for release soon.
Swa Frantzen, an incident handler at the SANS Internet Storm Center has a detailed explanation of the problem.
UPDATE (August 12, 2009): WordPress has shipped a fix for this "very annoying" problem.