A vulnerability in the current 2.8.3 release of the popular WordPress blogging software can be exploited remotely via a web browser to temporarily lock out administrators. The cause of the issue is an error in the web-based password reset function. Normally when a password reset is requested, the user would be sent a link to their registered email address. Once the link is clicked, the old WordPress password is removed and a new one is generated which is again sent by email.
The password reset function in the
wp-login.php PHP module can be abused to bypass the first step and then reset the admin password by submitting an array to the
$key variable. This can be done remotely through any web browser and no confirmation of the password reset will be sent to the admin. Laurent Gaffié first reported that the vulnerability could be used to “compromise” the admin account, but has since issued a correction advising that it could only reset the admin account and cannot be used to break into the system.
The WordPress developers have been advised of the issue and have corrected the problem in a development version of the blogging software, in which they prevent arrays from being passed in the
$key variable. The fix updates
wp-login.php and replaces