RealTime IT News

Wordpress fixes password reset security flaw

From the 'scary security flaws' files:

Imagine this scenario. An attacker visits your blog, inputs an array in the http address header and PRESTO, your admin password is automatically reset - locking the real admin out of their own site.

A vulnerability fixed by the open source Wordpress blog software today isn't quite that scary but it's close.

"Yesterday a vulnerability was discovered: a specially crafted URL could be requested that would allow an attacker to bypass a security check to verify a user requested a password reset," Wordpress states in an advisory. "As a result, the first account without a key in the database (usually the admin account) would have its password reset and a new password would be emailed to the account owner. This doesn't allow remote access, but it is very annoying."

Wordpress has a free online hosted blogging service, where the site software is automatically updated -- then there are thousands of users that have installed Wordpress on their own sites - those are the ones that need to update on their own and soon.

Comment and Contribute
We have made updates to our Privacy Policy to reflect the implementation of the General Data Protection Regulation.