Security Upgrade for WordPress – Upgrade Now!

If you allow open registrations in your WordPress blog, then you better upgrade to the recently released version 2.6.2. This is because of a vulnerability found in version 2.6.1 and earlier versions that make it possible to reset the password of other users. The “hacker” will of course not get access to the new password, but this insecure bug togheter with a problem with mt_rand() will make it easier to predict the new password…..

From the WordPress blog:

With open registration enabled, it is possible in WordPress versions 2.6.1 and earlier to craft a username such that it will allow resetting another user’s password to a randomly generated password.  The randomly generated password is not disclosed to the attacker, so this problem by itself is annoying but not a security exploit.  However, this attack coupled with a weakness in the random number seeding in mt_rand() could be used to predict the randomly generated password.

So far I don’t think anyone suffered from this vulnerability, but it’s still a good idea to upgrade ASAP.

My FREE Insider’s Kit will show you how to earn more money!