Imagine this scenario. An attacker visits your blog, inputs an array in the http address header and PRESTO, your admin password is automatically reset – locking the real admin out of their own site.
A vulnerability fixed by the open source WordPress blog software today isn’t quite that scary but it’s close.
“Yesterday a vulnerability was discovered: a specially crafted URL could be requested that would allow an attacker to bypass a security check to verify a user requested a password reset,” WordPress states in an advisory. “As a result, the first account without a key in the database (usually the admin account) would have its password reset and a new password would be emailed to the account owner. This doesn’t allow remote access, but it is very annoying.”
WordPress has a free online hosted blogging service, where the site software is automatically updated — then there are thousands of users that have installed WordPress on their own sites – those are the ones that need to update on their own and soon.