Remote admin password reset vulnerability issue in WP 2.8.3 and below

| August 12, 2009 | Leave a Comment

WordPress 2.8.3. just came out but even this doesn’t seem enough to stop this newly discovered security issue, which resets your administrator password remotely. This was reported by Laurent Gaffié in the Neohapsis mailing list a couple of days ago.

The software vulnerability has been submitted to the WordPress trac, and according to them there’s a one-liner fix: in wp-login.php, change line 190 from

if ( empty( $key ) )


if ( empty( $key ) || is_array( $key ) )

Sucuri Security, however, still argues that “they are still using blacklists instead of a whilelist of what should be accepted”.

Expect another security update to your WordPress install very soon. In the meantime, prepare to backup your database and files again!

Related Posts

Tags: , , , , ,


  1. WordPress 2.8.4 | WordPress Philippines Said,

    […] As expected, Automattic promptly released WordPress 2.8.4, a security update to the previously mentioned remote admin password reset vulnerability. […]

  2. For The Case of WordPress, Against Self-Indulgent Promoters Who Were Hacked | The Blog Herald Said,

    […] the 2.8 branch in less than 2 weeks. This update was released only hours after the vulnerability was discovered, proving how hard the WordPress community has worked to improve and secure the […]

RSS feed for comments on this post · TrackBack URI

Leave a Reply