Posted on Leave a comment

WordPress 2.8.3 broken! Upgrade to 2.8.4 immediately!

In case you missed it, WordPress 2.8.3 has a programming error which allows anyone to reset your administrative password and takeover your WordPress blog. With administrative access, the hacker could destroy your content, lock you out, and repurpose your website for wrong doing, spamming, pornography, slander, or whatever they want. Upgrade to WordPress 2.8.4 immediately! Learn more at darknet.org.uk.

This vulnerability could be prevented by securing the /wp-admin directory.

BlogSecurity has recommended before that the /wp-admin/* directory should be password protected or restricted to IP address. This would mitigate this problem. See our advisory here for details. [Source, BlogSecurity, WordPress <= 2.8.3 Reset Admin Password Vulnerability]

See details of the exploit at milw0rm.