WordPress issues new version, closes password flaw

The bug enables a specially-crafted URL to evade a password reset security verification check, Matt Mullenweg, founding developer of WordPress, said on the organisation's blog.

“As a result, the first account without a key in the database (usually the admin account) would have its password reset and a new password would be emailed to the account owner," he said.

While annoying, the flaw would not permit a hacker to remotely access the blog's back-end -- unless he or she had access to the admin's email account to retrieve the password.

Considering the WordPress' large code base, which could contain a variety of vulnerabilities, this was a relatively mild incident, Maxim Weinstein, manager of StopBadware.org at the Berkman Center for Internet and Society at Harvard University, told SCMagazineUS.com.

“Unlike previous vulnerabilities that essentially enabled modification of contents, this one did not seem quite as bad,” he said. “There have been vulnerabilities in WordPress that have let people exploit those vulnerabilities to inject new content or execute code at the server level, sometimes used to create drive-by downloads.”

WordPress does a credible job of responding to reported vulnerabilities and patching, but users are not always as vigilant, Weinstein said.

“WordPress has streamlined the update process,” he said. “The problem is that users do not always know that they have to keep updated"

In light of the sizeable target, hackers are unlikely to scale back on efforts to compromise the software platform.

“This should serve as notification to WordPress developers that security has to be front of mind with every bit of code they write,” Weinstein said. “They need to find ways to integrate security into all their development and testing processes.”

The newest WordPress version, 2.8.4, is available for download here. Just last week, WordPress had issued a new version to close a number of other vulnerabilities.
 

See original article on scmagazineus.com