Wordpress is back in news again. It’s suspected some of the recent high profile breaches have come from Wordpress exploits. Which is in fact very simple but effective flaw.
An attacker could exploit this vulnerability to compromise the admin account of any wordpress/wordpress-mu <= 2.8.3
From what I can tell the vulnerability allows an attacker to reset the admin user account without having a valid email address. This could certainly be used in a denial of service vulnerability, locking an admin out their site by continually changing the password.
You can change any admin password on any WordPress blog as follows
http://your_domain_name.TLD/wp-login.php?action=rp&key[]=
A Quick fix for the vulnerability is as follows
Quick fix: replace line 190 from wp-login.php with
if ( empty( $key ) || is_array( $key ) )
I request all the readers to upgrade their WP hosting to 2.8.4 release.
Read the latest Security press release from Word Press here
Hi there,
Thanks for article. Everytime like to read you.
Thank you much for that wonderful post.