The Correct Way To Report A Security Issue With WordPress

Posted by admin in WordPress, WordPress... | 08.12.2009 - 4:15 pm

If you don’t know by now, WordPress 2.8.4 has hit the public and it addresses a mild but hugely annoying issue. There was no advanced warning regarding the vulnerability but it was quickly patched in the core of WordPress for the next release. Unfortunately, word quickly spread and in fact, even my site WPTavern.com was affected by the problem as I received an email letting me know what my new password was even though I didn’t request one. Here are the details regarding the annoyance:
a specially crafted URL could be requested that would allow an attacker to bypass a security check to verify a user requested a password reset. As a result, the first account without a key in the database (usually the admin account) would have its password reset and a new password would be emailed to the account owner. This doesn’t allow remote access, but it is very […]

Original post by Jeff Chandler

    Technorati Tags:

    Comments (0)
    Read More

    Reset WP Password Manually

    Posted by admin in WordPress, WordPress... | 04.27.2008 - 5:20 am

    Although there were over 80 security/bug fixes in WordPress 2.5.1, there was one thing that crept up immediately following the release. According to numerous reports by individuals and a ticket filed in the WordPress Trac when a user resets their password, the password reset link received in the email does not work. The error message that is received looks like this “Sorry, that key does not appear to be valid.”
    This bug has already been fixed and will be included in WordPress 2.5.2. However, if you are having issues with the reset link right now, you can read this post by Ryan McCue on how to Reset your WP Password Manually through phpMyAdmin.
    Technorati Tags: blog

    Original post by Jeff Chandler

      Technorati Tags:

      Comments (0)
      Read More