WordPress 2.8.4 Released

Slightly broken code, now fixed.

Those who follow WordPress closely will understand that a vulnerability has been found that, whilst not being especially dangerous, could be very annoying for some – especially for high-profile blogs.

By using a specially crafted URL, it’s possible for an attacker to force a reset of the admin password.  The attacker can’t know this admin password, it will be a random string, and this password will be e-mailed to the administrator of the blog.  However, there’s no denying that this could be annoying to the administrator.  More specifically, an administrator could be locked out of a block while some other exploits are tried, simply by resetting the password at short intervals.

So, it’s not the end of the world, but it’s an annoyance and in a few rare cases a potentially dangerous one.

To fix this vulnerability in older versions of WordPress, such as 2.7, you can manually change wp-login.php using the code shown in the Changeset on the WordPress Trac: http://core.trac.wordpress.org/changeset/11798 – ideally, you should upgrade to the just released WordPress 2.8.4 but if you have legacy reasons for staying with 2.7 (and many have, for example problems with widgets) then you may need to delay this.

David Coveney

David Coveney

Dave has been working in software development since 1988, starting with payroll development and then ERP consultancy for large corporates. He is a keen traveller, photographer and motorsport enthusiast, but now puts family first as he’s massively in love with his two little boys. Dave is still an early adopter. He was connected to the internet from his bedroom, way back in the eighties, had a personal website by 1994, was into the connected house in the late '90s, a smartphone by 2002, and a was the first in the office with a fitness tracker.