WordPress has just released a new upgrade of the self-hosted version of WordPress. This time it contains a security upgrade which will make it harder for hackers to gain access to your WordPress installation via a resently found security hole. If you allow open registrations on your blog it’s possible for any user to craft a username so that it will reset another users password. The new password will be randomly created, but due to a weakness in mt_rand() it is possible to guess the new password 🙁
From the WordPress blog:
With open registration enabled, it is possible in WordPress versions 2.6.1 and earlier to craft a username such that it will allow resetting another user’s password to a randomly generated password. The randomly generated password is not disclosed to the attacker, so this problem by itself is annoying but not a security exploit. However, this attack coupled with a weakness in the random number seeding in mt_rand() could be used to predict the randomly generated password.
If you use WordPress you should upgrade as soon as possible.