14 DAY TRIAL // A security vulnerability announced yesterday in the WordPress blogging platform has already been dealt with and WordPress 2.8.4, which fixes the hole, has been released. The bug allowed outside attackers to remotely reset the admin reset of a WordPress installation, effectively locking out the users from accessing their account; however, the vulnerability didn't allow others to take control of the account.
“Yesterday a vulnerability was discovered: a specially crafted URL could be requested that would allow an attacker to bypass a security check to verify a user requested a password reset. As a result, the first account without a key in the database (usually the admin account) would have its password reset and a new password would be emailed to the account owner. This doesn’t allow remote access, but it is very annoying.” the WordPress Blog reads.
WordPress allows administrators to reset their password if they happen to forget it. Normally, as a security measure, an email would be sent to the registered email address to confirm the action. However, by passing an empty array, $key[], to the reset URL instead of the normal $key parameter the script would skip this step and would reset the password without the confirmation email.
This couldn't be exploited to take over an account but the admin could be locked out of the installation and would have to take several steps to regain control including uploading a specially designed script. A workaround has been available since yesterday and it involves adding a small snippet of code to check if $key is in fact an array, in which case the data will be considered invalid.
The latest version comes a little over a week after WordPress 2.8.3 was released and two months after the latest major version, 2.8, came out. The new release only addresses the mentioned security vulnerability and comes with no other bug fixes.
WordPress 2.8.4 is available for download here.