An exploit has been released for all current versions of WordPress including WordPress <= 2.8.3. Laurent Gaffié who published the finding says:
An attacker could exploit this vulnerability to compromise the admin account of any wordpress/wordpress-mu <= 2.8.3
From what I can tell the vulnerability allows an attacker to reset the admin user account without having a valid email address. This could certainly be used in a denial of service vulnerability, locking an admin out their site by continually changing the password.
You can change any admin password on any WordPress blog as follows (taken from):
I’ve tested this and it does change the admin password, however, I haven’t looked at this for some time but I believe WordPress generates a fairly strong password after being reset, something an attacker would have difficulty brute forcing or guessing.
It is recommended before that the /wp-admin/* directory should be password protected or restricted to IP address. This would mitigate this problem.
Initial post by DK