WordPress 2.8.4 Released

Slightly broken code, now fixed.

Those who follow WordPress closely will understand that a vulnerability has been found that, whilst not being especially dangerous, could be very annoying for some – especially for high-profile blogs.

By using a specially crafted URL, it’s possible for an attacker to force a reset of the admin password.  The attacker can’t know this admin password, it will be a random string, and this password will be e-mailed to the administrator of the blog.  However, there’s no denying that this could be annoying to the administrator.  More specifically, an administrator could be locked out of a block while some other exploits are tried, simply by resetting the password at short intervals.

So, it’s not the end of the world, but it’s an annoyance and in a few rare cases a potentially dangerous one.

To fix this vulnerability in older versions of WordPress, such as 2.7, you can manually change wp-login.php using the code shown in the Changeset on the WordPress Trac: http://core.trac.wordpress.org/changeset/11798 – ideally, you should upgrade to the just released WordPress 2.8.4 but if you have legacy reasons for staying with 2.7 (and many have, for example problems with widgets) then you may need to delay this.