jump to navigation

NOTE: The spam filter is being unusually aggressive. If you comment does not immediately appear, it has simply been placed in moderation and I will approve it as quickly as possible. Thank you for your patience.

"Murphy was an optimist!"

WordPress 2.8.3 broken! Upgrade to 2.8.4 immediately! August 13, 2009 7:11 am

Posted by Doug McCaughan in : Blog, Publishing, Security, Software, Technology, WordPress
, add a comment

In case you missed it, WordPress 2.8.3 has a programming error which allows anyone to reset your administrative password and takeover your WordPress blog. With administrative access, the hacker could destroy your content, lock you out, and repurpose your website for wrong doing, spamming, pornography, slander, or whatever they want. Upgrade to WordPress 2.8.4 immediately! Learn more at darknet.org.uk.

This vulnerability could be prevented by securing the /wp-admin directory.

BlogSecurity has recommended before that the /wp-admin/* directory should be password protected or restricted to IP address. This would mitigate this problem. See our advisory here for details. [Source, BlogSecurity, WordPress <= 2.8.3 Reset Admin Password Vulnerability]

See details of the exploit at milw0rm.

add a comment