FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

wordpress -- remote admin password reset vulnerability

Affected packages
wordpress < 2.8.4,1
de-wordpress < 2.8.4
wordpress-mu < 2.8.4a

Details

VuXML ID 2430e9c3-8741-11de-938e-003048590f9e
Discovery 2009-08-10
Entry 2009-08-12
Modified 2010-05-02

WordPress reports:

A specially crafted URL could be requested that would allow an attacker to bypass a security check to verify a user requested a password reset. As a result, the first account without a key in the database (usually the admin account) would have its password reset and a new password would be emailed to the account owner.

References

CVE Name CVE-2009-2762
URL http://wordpress.org/development/2009/08/2-8-4-security-release/
URL http://www.milw0rm.com/exploits/9410