Wordpress Remote Admin Password Reset Vulnerability - gHacks Tech News

WordPress Remote Admin Password Reset Vulnerability

The password of my WordPress admin account was not valid when I tried to login today. I first thought it was a problem with the LastPass password manager and tried to see if I was still logged into the service.

When I checked my email inbox I noticed that I have received a new password for the account. That was strange since I did not request a new password.

It was not that much of a concern to me as I thought that someone might have used the password reset functionality to reset the password which meant that physical access to the new password was not possible.

A new post appeared on the WordPress discussion list today revealing more details about what happened on that day.

Anyone is apparently able to reset a WordPress password if the email address of the WordPress user is known. All that needs to be done is to point the web browser at http://www.domain.com/wp-login.php?action=lostpassword to reset the password.

The email address of the account holder has to be supplied in the form. WordPress sents a confirmation email first usually to the registered email address to verify the request. This is done to prevent abuse of the system so that passwords do get reset without the actual account owner requesting it.

The vulnerability that was revealed recently manipulates the query to skip this step.

It is not possible to exploit this vulnerability further, which means attackers cannot get access to the user account. All that is possible is to reset the password of the account, which is definitely a nuisance for the account owner.

It can however be used theoretically to reset the password regularly to lock the user or admin out of the WordPress blog.

A temporary fix for the remote admin password reset vulnerability was posted. WordPress administrators need to change one line of code in the wp-login.php file of the WordPress installation to protect their blog from the attack.

Replace

if ( empty( $key ) )

With

if ( empty( $key ) || is_array( $key ) )

It is advised to apply the temporary fix as soon as possible to WordPress installations.

Update: WordPress has fixed the issue in recent versions of the software. It is no longer necessary to implement the patch manually.

Summary
Article Name
WordPress Remote Admin Password Reset Vulnerability
Description
A WordPress vulnerability may be abused to reset the account password of any registered user without confirmation; only the email address needs to be known.
Author
Publisher
Ghacks Technology News
Logo

We need your help

Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.

If you like our content, and would like to help, please consider making a contribution:

Comments

  1. Gonzague said on August 11, 2009 at 4:56 pm
    Reply

    thanks for that !

    the line has to be replaced twice right?

    1. Martin said on August 11, 2009 at 5:19 pm
      Reply

      According to this code change post at the wordpress website you only need to apply it to the line between 188 and 192

      http://core.trac.wordpress.org/changeset/11798

  2. Rick Russell said on August 11, 2009 at 5:54 pm
    Reply

    Joomla! FTW.

  3. Avinash said on August 12, 2009 at 9:03 am
    Reply

    Martin, What if admin is the only user ?? which many wp users use as default, wouldn’t that give a complete access to the person, and there an wordpress update to 2.8.4 that fixes this issues now

    1. Martin said on August 12, 2009 at 9:54 am
      Reply

      Avinash, the vulnerability does not give the attacker access to the WordPress blog unless access the email account was hacked as well. Good tip about the WordPress update, wonder why the blog is not showing that there is a new version available yet.

  4. Happy said on August 12, 2009 at 4:22 pm
    Reply

    Just received 3 password changes to my blog this morning. I too thought the same thing, 2.8.4 may have addressed this.

  5. rhe said on May 21, 2011 at 11:11 am
    Reply

    is there any plugins to avoid this vuln?

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

Please note that your comment may not appear immediately after you post it.