As you all know, WordPress has just released the new 2.8.3 update. While boosting its capabilities, the update also weakens WordPress’s security with a dangerous vulnerability. And this is not just something to play with. Blog owners can literally be locked out of their administrator accounts. Hackers will use the online password reset function to reset the admin password, leaving the blog owner clueless.
The issue was first reported by Laurent Gaffie on August 11 and WordPress developers are informed and already working on a fix that will be included in a development version of WordPress.
In order for a user to recover a lost password, he should request a “Reset Password”. A mail is dispatched to the user’s email account, containing a link. When the link is clicked, WordPress resets the password to a random new one. After this, it sends a mail with the new password to the user. By using this vulnerability, hackers can bypass the email verification step and reset the password.
The attack is completely undetectable by the blog owner. However, the attacker can only reset the password, not break into the account. What is more worrying is that the hacker does not need any sophisticated equipment. All he needs is an Internet connection and a browser.
Pingback: WordPress Update Contains A Dangerous Vulnerability « Sporkings | Hack In The Box()