Wordpress 2.8.3 Admin Reset Password Issue

WordPress 2.8.3 Admin Reset Password Issue

August 12, 2009 in News by Olgi Zenullari

Hello Dear Friends,

A security hole was found in the WordPress 2.8.3 version and all the previous versions. First of all, I’f you haven’t already updated to 2.8.4, you better do it NOW

The Problem

Basically in order to reset your WordPress password, you click on “Forgot Your Password” and you add your details (if you know them). Someone found a way to immediately reset the password without even adding any of the key values.

The code used to do this is:

http://www.domainname.com/wp-login.php?action=rp&key[]=

You simply change the domainname.com with the one you want to reset and VOILA .. Check your email for confirmation
The Solution

There is already a solution provided officially by WordPress so all you have to do is update to the latest version (2.8.4)

Conclusion

This doesn’t hurt you at all, its more something which annoys you (because you wont be able to login with your old password) and all you have to do is login with the new password provided and change it back to your old password or a new more secure password

Regards

Olgi

Be Sociable, Share!

Interesting Related Posts:

http://lolwithme.net Klajdi Hena

Man, I’m glad I upgraded mine.
http://www.vermadesign.co.uk Surbiton Web Design

Whilst not a security risk this can get very annoying is people are doing this to you frequently. Updating WordPress is obviously the best solution but you may want to check out the advice given on Matt Cutts blog regarding securing WordPress blogs. He gives details of how to use the .htaccess file to protect the wp-admin folder of WordPress. This could also fix the above problem.
http://www.machwan.in TK Pandey

I will be visiting more often as you have done a good job, keep going..