Wordpress Exploit Found - Reset Admin Password
Join the DZone community and get the full member experience.Join For Free
Recently word as spread about the Wordpress password reset exploit. Any version of Wordpress from version 2.8.3 down is vulnerable. The exploit will allow anyone to reset the admin password of a Wordpress powered blog by simply adding parameters in the URL's query string.
How it works:
The normal password reset page asks you to enter the username or email address, and if that’s correct then a link is sent to the email address associated with that account to reset your password but note that the password itself is not changed and you can just ignore the email and carry on but hackers have found a way in which they simply bypass that check, and the password is reset, by passing a special value in the key parameter of the reset page URL. All someone has to do is add “/wp-login.php?action=rp&key=” to the end of the url (http://www.domainname.com/wp-login.php?action=rp&key=).
Note: Wordpress has since released update 2.8.4 which fixes the problem.
Opinions expressed by DZone contributors are their own.