14 DAY TRIAL // An attacker may be able to take complete control of a WordPress website due to lack of a cryptographically secure pseudorandom number generator (CSPRNG).
A CSPRNG is a mechanism that produces random numbers on a computer, which can be applied for cryptographic purposes, such as generating a key or salts. The numbers are pseudorandom because a truly random string can be produced only at a theoretical level.
The bug in WordPress has been discovered by Scott Arciszewski, a web programmer from Orlando, Florida. He informed WordPress maintainers of the need to implement a CSPRNG mechanism into the platform in order to eliminate even the slightest possibility of someone being able to predict the token used for resetting passwords.
Anyone achieving this would then be able to take over WordPress websites that are vulnerable in this way. However, at the moment there is no evidence of a method being available for accomplishing this.
Arciszewski says that he tried multiple times to bring the issue to the attention of WordPress maintainers, the first time on June 25, 2014, by opening a ticket on the platform’s issue tracker. Another time was during WordCamp Orlando, a conference generally focused on how WordPress can be used more effectively.
In an advisory posted on Full Disclosure, he links to a fix created by him, but which has yet to be integrated in WordPress.
WordPress is used for more than 75 million websites on the web. Nevertheless, cybercriminals may not be enticed to look into the problem due to the complexity of creating an exploit.