WordPress Flaw

Annoying? Yes, a URL flaw in the WordPress password reset should be on many to-do lists for today:

…a specially crafted URL could be requested that would allow an attacker to bypass a security check to verify a user requested a password reset. As a result, the first account without a key in the database (usually the admin account) would have its password reset and a new password would be emailed to the account owner. This doesn’t allow remote access, but it is very annoying.

Patch, patch, patch…

Edited to add: 11 Tips to Secure WordPress

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.