The Next Web

Wordpress Exploit Allows Admin Password Reset

By Zee
August 12, 2009
Tweet This
Tip Techmeme
Submit to Hackernews

Share


Comments

Wordpress Exploit Allows Admin Password ResetA vulnerability in WordPress 2.8.3 which allows anyone to lock an admin out of his or her account by resetting the password has been reported.

“The bug … is trivial to exploit remotely using nothing more than a web browser and a specially manipulated link. Typically, requests to reset a password are handled using a registered email address. Using the special URL, the old password is removed and a new one generated in its place with no confirmation required.”

The exploit doesn’t enable take-over of the blog but it does allow a prankster to lock an admin out of their blog by resetting the password.

An alert on the Full Disclosure mailing list detailed the vulnerability, and WordPress quickly rolled out version 2.8.4 to address the issue.

via Slashdot

Tags: , ,  

  • In fairness to WP they were all over it in minutes, thanks for posting though :-)
  • Thanks for sharing and a good thing i am following on twitter!
  • rule number one: get rid of the Admin account.
blog comments powered by Disqus
 


TwitterCounter