LWN.net Logo

wordpress: remote admin password reset

Package(s):wordpress CVE #(s):
Created:August 12, 2009 Updated:August 12, 2009
Description:

From the advisory on full-disclosure:

A web browser is sufficient to reproduce this Proof of concept: http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key[]= The password will be reset without any confirmation.

An attacker could exploit this vulnerability to compromise the admin account of any wordpress/wordpress-mu <= 2.8.3

Alerts:
Fedora FEDORA-2009-8487 2009-08-11
Fedora FEDORA-2009-8468 2009-08-11

(Log in to post comments)

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds