The password of my Wordpress admin account was not valid when I tried to login today. I first thought it was a problem with the LastPass password manager and tried to see if I was still logged into the service. When I checked my email inbox I noticed that I have received a new password for the account. That was strange since I did not request a new password. It was not that much of a concern to me as I thought that someone might have used the password reset functionality to reset the password which meant that physical access to the new password was not possible.
A new post appeared on the Wordpress discussion list today revealing more details about the process. Everyone is apparently able to reset a Wordpress password if the email address of the Wordpress user is known. All that needs to be done is to point the web browser at http://www.domain.com/wp-login.php?action=lostpassword to reset the password. The email address of the account holder has to be supplied in the form. Wordpress usually will send a confirmation email first asking the email account owner if the password should be reset. The vulnerability manipulates the query to skip this step.
It is not possible to exploit this vulnerability further which means attackers cannot get access to the user account. It can however be theoretically be used to reset the password regularly to lock the user or admin out of the Wordpress blog.
A temporary fix for the remote admin password reset vulnerability was posted. Wordpress administrators need to change one line of code in the wp-login.php file of the Wordpress installation to protect their blog from the attack.
Replace
if ( empty( $key ) )
With
if ( empty( $key ) || is_array( $key ) )
It is advised to apply the temporary fix as soon as possible to Wordpress installations.
Read Related Posts
-
Wordpress 2.8.4 Security Update
-
Wordpress Incorrect Password
-
Create a Password Reset Disk on USB in Windows XP
-
Firefox Mass Password Reset
-
How to reset the Master Password in Firefox
-
Wordpress 2.8.2 Security Patch
-
Wordpress Hack: Change Number Of Comments Per Page In Admin Interface
-
Computer Worm Attacks Not Updated Wordpress Blogs
13 Responses to “Wordpress Remote Admin Password Reset Vulnerability”
Trackbacks/Pingbacks
-
[...] the original post: Wordpress Remote Admin Password Reset Vulnerability Share and [...]
-
[...] It is advised to apply the temporary fix as soon as possible to Wordpress installations.Wordpress Remote Admin Password Reset Vulnerability [...]
-
[...] : GHacks & Wordpress Blog. var linkwithin_site_id = 34620; (function () { var elem = [...]
-
[...] noticed a security vulnerability in Wordpress 2.8.3 yesterday (and earlier versions as well) that allowed [...]
-
[...] noticed a security vulnerability in Wordpress 2.8.3 yesterday (and earlier versions as well) that allowed [...]
-
[...] noticed a security vulnerability in Wordpress 2.8.3 yesterday (and earlier versions as well) that allowed [...]
-
[...] noticed a security vulnerability in Wordpress 2.8.3 yesterday (and earlier versions as well) that allowed [...]
thanks for that !
the line has to be replaced twice right?
According to this code change post at the wordpress website you only need to apply it to the line between 188 and 192
http://core.trac.wordpress.org/changeset/11798
Joomla! FTW.
Martin, What if admin is the only user ?? which many wp users use as default, wouldn’t that give a complete access to the person, and there an wordpress update to 2.8.4 that fixes this issues now
Avinash, the vulnerability does not give the attacker access to the Wordpress blog unless access the email account was hacked as well. Good tip about the Wordpress update, wonder why the blog is not showing that there is a new version available yet.
Just received 3 password changes to my blog this morning. I too thought the same thing, 2.8.4 may have addressed this.