We noticed a security vulnerability in Wordpress 2.8.3 yesterday (and earlier versions as well) that allowed an attacker to reset passwords of users. While this vulnerability could not be exploited to gain access to the user account (unless access to the email account the password was send to was available as well) it could be used to annoy those users especially when combined with an automated script that would reset the password every seconds or minutes.
A fix was released with the announcement of the vulnerability which consisted of one line of code that had to be edited in the wp-login.php file of the Wordpress installation. Wordpress installations with the fix are safe from these kinds of attacks.
The Wordpress team has nevertheless released Wordpress 2.8.4. as a response to the security vulnerability. The new release patches this vulnerability and is a recommended update for every Wordpress installation. The Wordpress developers are providing additional information about the vulnerability in the announcement post as well.
It was only possible to reset a password of the first user account without a key according to this post which usually is the admin account of the Wordpress installation. Wordpress is not showing the new version in its interface. This may change in the next hours.
Wordpress admins should head over to the Wordpress website to download the new version as of now.
Read Related Posts
-
Wordpress 2.6.5 Security Update
-
Wordpress 2.8.5 Security Update
-
Wordpress Remote Admin Password Reset Vulnerability
-
Wordpress 2.8.6 Security Update
-
Wordpress 2.8.2 Security Patch
-
Wordpress 2.3.3 Security Release
-
Wordpress 2.7.1 Update
-
Computer Worm Attacks Not Updated Wordpress Blogs
7 Responses to “Wordpress 2.8.4 Security Update”
Trackbacks/Pingbacks
-
[...] this article: Wordpress 2.8.4 Security Update Related Posts:Security Update: WordPress 2.8.2 ReleasedTutorial: What To Do When WordPress [...]
-
[...] allowed attackers to reset users’ passwords. If you can’t get in, let me know. From some random site: We noticed a security vulnerability in Wordpress 2.8.3 yesterday (and earlier versions as well) [...]
-
[...] 2.8.3 had a vulnerability that allowed an attacker to reset [...]
-
[...] 2.8.3 had a vulnerability that allowed an attacker to reset [...]
-
[...] reading here: Wordpress 2.8.4 Security Update Share and [...]
Wordpress is not showing the new version in its interface.
It does, I had upgraded few hours ago. When update notice shows depends on when WP last checked for updates. It is only performed every so often to not waste resources on each admin area load.
Thank you for the information. I have noticed that there is already a new security update for wordpress in my dashboard. I search for the review and I found your site. Thanks again for the helpful information.