Slashdot Mirror

← Back to Stories (view on slashdot.org)

WordPress Exploit Allows Admin Password Reset

Posted by Soulskill on Wednesday August 12, 2009 @03:04AM from the probably-the-first-time-most-have-been-changed dept.

Multiple readers have sent word of a vulnerability in WordPress 2.8.3 which allows anyone to lock an admin out of his or her account by resetting the password. "The bug ... is trivial to exploit remotely using nothing more than a web browser and a specially manipulated link. Typically, requests to reset a password are handled using a registered email address. Using the special URL, the old password is removed and a new one generated in its place with no confirmation required." An alert on the Full Disclosure mailing list detailed the vulnerability, and WordPress quickly rolled out version 2.8.4 to address the issue.

3 of 100 comments (clear)

Min score:

Reason:

Sort:

Re:Clarification by Jellybob · 2009-08-12 03:10 · Score: 4, Insightful

Using the special URL, the old password is removed and a new one generated in its place with no confirmation required.
While you're right in saying the attacker can't access the admin's account, the admin themselves also can't access it, because their password has already been reset to something else, and they'll have to get the new one. It seems more like a minor inconvenience to me, then a massive bug which will end the world, but still a flaw.
That's why I stopped using Wordpress by krovisser · 2009-08-12 03:41 · Score: 4, Insightful

I was tired of constantly having security issues and having to upgrade. Isn't there less feature-filled blog app out there that's all lightweight and whatnot?
Re:Clarification by evanbd · 2009-08-12 03:53 · Score: 5, Insightful

If I write a script that resets your password every 3 seconds, you'll find it to be more than a minor inconvenience.