If you haven’t heard the news, WordPress 2.8.4 has been released to fix another security/annoying issue that was discovered the other night. According to the announcement, this is what happens:
a specially crafted URL could be requested that would allow an attacker to bypass a security check to verify a user requested a password reset. As a result, the first account without a key in the database (usually the admin account) would have its password reset and a new password would be emailed to the account owner. This doesn’t allow remote access, but it is very annoying.
I was very surprised to see an email show up in my inbox letting me know what my new password was to log into WPTavern.com. Once I discovered what the problem was, I fixed it by uploading the patched WP-Login.php file as suggested by Matt Sivel and a few others in the WordPress Developers IRC channel. That fixed the issue. There has been a bit of a debate on whether this is really a security vulnerability or not but one things for sure, it is highly annoying. Glad to see it fixed in short order. You’ll never hear me complaining about too many WordPress upgrades when it comes to stuff like this.
Anyone else hit with the password reset annoyance?