Discussions

WP 2.8.3 security hacks

Posted by Rozie818 • 8/12/09 • Subscribe to this Discussion [RSS] • Report This Topic
Topics: Security, web hacking, wordpress, wordpress 2.8.3

Developers of the widely used WordPress blogging software have released an update that fixes a vulnerability that let attackers take over accounts by resetting the administrator password.

The bug in version 2.8.3 is trivial to exploit remotely using nothing more than a web browser and a specially manipulated link. Typically, requests to reset a password are handled using a registered email address. Using the special URL, the old password is removed and a new one generated in its place with no confirmation required, according to this alert published on the Full-Disclosure mailing list.

www.darknet.org.uk/2009/08/wordpress-2-8-3-admin-reset-exploit/

User Comments

8/12/09

timethief

Did you know that 2.8.4 is now available?

[reply]
8/12/09

Rozie818

I'm still on 2.6.1, this was posted for who is still using 2.8.3

[reply]
1. 8/12/09
  
  timethief
  
  I just saw that 2.8.4 was available a couple of hours ago so I thought I'd share that with you and other wp users who may read this thread.
8/12/09

Rozie818

I won't update for a while, as per the reasons in 2.8.3
I stopped doing the beta tester for these things.
They probably released 2.8.4 because of problems with 2.8.3

[reply]
1. 8/12/09
  
  timethief
  
  Yes that's why it was released.
8/12/09

cooper

I updated my smaller blog but not my regular blog. I swear those guys do this on purpose, something like that is pretty hard to overlook isn't it?

[reply]
8/12/09

Anthe

Thanks for the info, I was wondering why already a new version again.

[reply]