Tech

Password-reset flaw haunts WordPress admins

Researchers are sounding the alarm for a serious administrator password-reset vulnerability affecting the latest version of WordPress, the popular open-source blog publishing platform.The flaw, which can be exploited via the browser, gives an attacker a trivial way to compromise the admin account of any WordPress of WordPress MU (multiple user) installation.

Written by Ryan Naraine, Contributor Aug. 11, 2009 at 1:17 a.m. PT

Researchers are sounding the alarm for a serious administrator password-reset vulnerability affecting the latest version of WordPress, the popular open-source blog publishing platform.

The flaw, which can be exploited via the browser, gives an attacker a trivial way to compromise the admin account of any WordPress of WordPress MU (multiple user) installation.

Proof-of-concept code demonstrating the problem is publicly available. A patch is currently being prepared for release soon.

Swa Frantzen, an incident handler at the SANS Internet Storm Center has a detailed explanation of the problem.

UPDATE (August 12, 2009): WordPress has shipped a fix for this "very annoying" problem.

Editorial standards

Show Comments

Password-reset flaw haunts WordPress admins

Related

The work laptop I recommend to most people is not made by Apple or Lenovo

7 reasons I use Copilot instead of ChatGPT

Why I travel with Bose's QuietComfort Ultra headphones instead of the Sony XM5