Daily cyber threats and internet security news: network security, online safety and latest security alerts
September 8th, 2008

WordPress 2.6.2 Released Due To PHP Weakness That Might Lead To Attack

New WordPress version, 2.6.2, was released today to mitigate a new attack vector discovered by PHP security researcher Stefan Esser. According to an advisory from WordPress blog, Stefan Esser recently warned developers of the dangers of SQL Column Truncation and the weakness of mt_rand(). Blogs that allow users registration should be upgraded as soon as possible.

With open registration enabled, it is possible in WordPress versions 2.6.1 and earlier to craft a username that will allow resetting another user’s password to a randomly generated one. The randomly generated password is not disclosed to the attacker, so this problem by itself is not a real security exploit. However, this attack coupled with a weakness in the random number seeding in mt_rand() could be used to predict the randomly generated password.

WordPress developers said the attack is difficult to accomplish but the patch is being released because of the associated risk.

Share this item with others:

More on CyberInsecure:
  • WordPress Multiple SQL Injection Vulnerabilities
  • WordPress 2.8.3 Remote Admin Password Reset Vulnerability
  • WordPress Parameter Directory Traversal Vulnerability
  • XSS Flaw Fixed In Latest WordPress 2.6.5
  • Significant Number Of WordPress Websites Compromised, IFrame Used For Affiliate Scheme

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: WordPress 2.6.2 Released Due To PHP Weakness That Might Lead To Attack

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.