WordPress <= 2.8.3 Reset Admin Password Vulnerability

By | 29/08/2009

An exploit has been released for all current versions of WordPress including WordPress <= 2.8.3. Laurent Gaffié who published the finding says:

An attacker could exploit this vulnerability to compromise the admin account of any wordpress/wordpress-mu <= 2.8.3

From what I can tell the vulnerability allows an attacker to reset the admin user account without having a valid email address. This could certainly be used in a denial of service vulnerability, locking an admin out their site by continually changing the password.

You can change any admin password on any WordPress blog as follows (taken from exploit):

http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key[]=
I’ve tested this and it does change the admin password, however, I haven’t  looked at this for some time but I believe WordPress generates a fairly strong password after being reset, something an attacker would have difficulty brute forcing or guessing.

It is recommended before that the /wp-admin/* directory should be password protected or restricted to IP address. This would mitigate this problem.

Initial post by DK

Leave a Reply