New WordPress 2.8.4 Security Update

The developers at WordPress just discovered a specific vulnerability in the code. They describe the issue as follows:  a specially crafted URL could be requested that would allow an attacker to bypass a security check to verify a user asked for a password reset. As a result of this problem, the first account without a key in the database (usually the admin account) would have its password reset and a new password would be emailed to the account owner. This doesn’t allow remote access, but it is very annoying.

Considering that many WordPress installations don’t have the php mail() feature active in their hosting, they will just find that they can’t login to the WordPress Dashboard, but also they don’t have a new password, since they never received a new login through email. So, I personally recommend you to upgrade to WordPress 2.8.4 automatically from your Dashboard. By the way, if your hosting email feature is not active, you can use a plugin like WP-Mail-SMTP. If you came across this specific problem and can’t get the new password for your admin account, you can use any of the solutions described here.

Version 2.8.4 which fixes all known problems is now available for download and is highly recommended for all users of WordPress.

Download WordPress 2.8.4

One Comment

  1. Pingback: Twitted by WpThemesPlanet

Comments are closed