This just in from the Internet Storm Center
Juha-Matti pointed out multple reports on a vulnerability in the widely used wordpress blog software that supposedly allows lets remote users reset the administrative password. They all lead to an original post on a full disclosure mailing list.
You can get all the details from the original post – WordPress unauthenticated administrator password reset
You can find the fix here
Basically you just need to change line 190 in wp-login.php from
if ( empty( $key )
to
if ( empty( $key ) || is_array( $key ) )
If line 190 in wp-login.php doesn’t match the example, you should update Word Press.
I’ve already done it here and everything still works. I also tried it on a version of Word Press that isn’t the latest version. I had to search for the string that needed changing because it’s not on line 190 in the older version. I updated the info and everything is working there too.
