After yesterday came out that everyone can reset the password a user and even the administrator has the Wordpress team and responded with Wordpress 2.8.4 a security rausgerbracht release.
Yesterday a reset vulnerability was discovered: a specially crafted URL could be requested that would allow to attacker to bypass a security check to verify a user requested a password. As a result, the first account without a key in the database (usually the admin account) would have its password reset and a new password would be emailed to the account owner. This does not allow remote access, but it is very annoying.
We fixed this problem last night and have been testing the fixes and looking for other problems since then. Version 2.8.4 which fixes all known problems is now available for download and is highly recommended for all users of WordPress.
I had recorded yesterday morning, even though the manual fix, but today tightened security for the new version 2.8.4:) Even if such an action would not put much in my case because I per OpenID sign up and my account is not the only admin account in this blog is ... it can not harm!
Similar entries
• WordPress 2.8.3 Security Release
• Release Candidate of Exchange 2010 is here
• Cisco Security Device mini HOWTO
• Wordpress 2.6.3 Upgrade
• WordPress 2.8.2
