How To Fix WordPress 2.8.3 Password Reset Vulnerability

Laurent GaffiĆ© posted an exploit for versions of Wordpress up to and including 2.8.3 (the current version as of now). The exploit is basically that if you pass an empty array as the “key” on a reset password query, the code passes the empty() check in wp-login.php and the password is reset thus completely bypassing the usual security protection of WordPress. It’s not too bad since the password is sent to the admin email and not displayed on the screen, but it can still be annoying.

While we wait for an official patch from Wordpress that I’m sure will be coming very soon, there’s a very easy way to fix it. Simply edit wp-login.php and add this line after line 186 (after the line that says global $wpdb):

if (is_array($key)) return new WP_Error('invalid_key', __('Invalid key'));

This simple fix should do the trick. If the key is an array, the function will simply alert the user that the key is invalid, which is what it should do.

Tags: , , , ,

Please leave a comment on this post