Upgrade Your Wordpress to 2.8.4!

In case you are still using an outdated Wordpress between version 2.8 to 2.8.3, please update it to the latest version.

There is a vulnerability on these versions where a person without the admin e-mail address may reset the admin password.

Normally, when you forget your password, you will visit the following: http://[wordpress hosted site]/wp-login.php?action=lostpassword

image

Basic Password Reset

Then you will receive a reset confirmation mail like below:

Someone has asked to reset the password for the following site and username.
http://[wordpress hosted site]
Username: admin
To reset your password visit the following address, otherwise just
ignore this email and nothing will happen

http://[wordpress hosted site]/wp-login.php?action=rp&key=<key>

When you click the link, a reset password would be sent to you.

However, there is a method to bypass the need to input your e-mail and validation to reset your password.

A person just need to key in this on the URL bar to initiate the reset:
http://[wordpress hosted site]/wp-login.php?action=rp&key[]=

image

Initiation of Password Reset

Yes, your password is reset right away without e-mail validation.

image

New Password in my Gmail account

So, my word of advice is to update to the latest 2.8.4 where this vulnerability is patched.

Share and Enjoy:
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • Live
  • RSS
  • StumbleUpon
  • Technorati
  • Twitter
  • Yahoo! Buzz

2 Responses to “Upgrade Your Wordpress to 2.8.4!”

Leave a Reply

emoticons

Where’s Xunlei?
Xunlei Post still exists. It's here.