WordPress Exploit Allows Admin Password Reset

Multiple readers have sent word of a vulnerability in WordPress 2.8.3 which allows anyone to lock an admin out of his or her account by resetting the password. "The bug ... is trivial to exploit remotely using nothing more than a web browser and a specially manipulated link. Typically, requests to reset a password are handled using a registered email address. Using the special URL, the old password is removed and a new one generated in its place with no confirmation required." An alert on the Full Disclosure mailing list detailed the vulnerability, and WordPress quickly rolled out version 2.8.4 to address the issue.

Full disclosure a day after discovery?

[SmitherIsGod]

Is that not a bit soon? Especially with wordpress - it's going to be ages before many people update, and it's not a critical problem.

My copy of wordpress doesn't have this problem

[Anonymous Coward]

That's funny, my copy of Wordpress is not vulnerable to this issue. Oh wait, I tweaked things so that all of the logins and the like go over a separate, password-protected SSL connection. https://DOMAIN_NAME.TLD/wp-login.php?action=rp&key[]= just won't work :) Obviously this won't work if you let arbitrary users login to your wordpress account.

Code is Poetry

[pathological liar]

If Code is Poetry then Wordpress is some 15 year old's notebook scribblings on angst, Twilight and Dashboard Confessional.

If you're looking for alternatives that don't have gaping security issues with seemingly every release, check out Serendipity [s9y.org].