WordPress vulnerability allows remote admin password reset - Update

A vulnerability in the current 2.8.3 release of the popular WordPress blogging software can be exploited remotely via a web browser to temporarily lock out administrators. The cause of the issue is an error in the web-based password reset function. Normally when a password reset is requested, the user would be sent a link to their registered email address. Once the link is clicked, the old WordPress password is removed and a new one is generated which is again sent by email.

The password reset function in the wp-login.php PHP module can be abused to bypass the first step and then reset the admin password by submitting an array to the $key variable. This can be done remotely through any web browser and no confirmation of the password reset will be sent to the admin. Laurent Gaffié first reported that the vulnerability could be used to "compromise" the admin account, but has since issued a correction advising that it could only reset the admin account and cannot be used to break into the system.

The WordPress developers have been advised of the issue and have corrected the problem in a development version of the blogging software, in which they prevent arrays from being passed in the $key variable. The fix updates wp-login.php and replaces

if ( empty( $key ) )

with

if ( empty( $key ) || is_array( $key ) )

Administrators that have already been locked out of their systems should use the "Emergency Password Reset Script", which needs to be loaded into the root of the WordPress installation (the same directory as wp-login.php). Instructions on how to proceed can be found here: Resetting Your Password.

Update: The WordPress developers have now released WordPress 2.8.4 to address password reset issue and installation is "highly recommended" to fix the "very annoying" problem.

See also:

• WordPress 2.8.3 Remote admin reset password, security advisory from Laurent Gaffié.

(crve)