WordPress 2.8.3 Admin Reset Exploit

The New Acunetix V12 Engine


Ah it’s WordPress again, sometimes I wonder how many holes there are in WordPress. I guess a dedicated attacker could find some serious ones with the complexity of the code base.

It’s suspected some of the recent high profile breaches have come from WordPress exploits.

The latest one to become public is a simple but effective flaw, it doesn’t enable take-over but it does allow a prankster to lock an admin out of their blog by resetting the password.

Developers of the widely used WordPress blogging software have released an update that fixes a vulnerability that let attackers take over accounts by resetting the administrator password.

The bug in version 2.8.3 is trivial to exploit remotely using nothing more than a web browser and a specially manipulated link. Typically, requests to reset a password are handled using a registered email address. Using the special URL, the old password is removed and a new one generated in its place with no confirmation required, according to this alert published on the Full-Disclosure mailing list.

The flaw lurks in some of the PHP code that fails to properly scrutinize user input when the password reset feature is invoked. Exploiting it is as easy is directing a web browser to a link that looks something like:

I actually saw the alert as it was published on Full-Disclosure, obviously anything to do with WordPress catches my attention.

The exploit can be executed by running the following code on a WordPress 2.8.3 blog:

Simple but effective.


According to WordPress documentation here, the bug has been fixed by changing a single line of code so the program checks to make sure the input supplied for the new password isn’t an array. If it is, the user gets an error message and must try again.

That would appear to be the end of it, but security researchers Rafal Los and Mike Bailey wonder aloud here whether it would have made more sense to check instead whether the input is a string.

“Hasty coding?” he asks. “Why take the blacklist vs. whitelist approach?”

The bigger point he and other observers seem to make is that PHP is the coding equivalent of an everyman’s jet pack. It allows him to quickly soar into the sky with a minimal amount of training but doesn’t necessarily provide the means to check for buildings, planes or other hazards that may greet the user once he gets there.

WordPress 2.8.4 has already been released so if you’re running WordPress do update ASAP to ensure you are safe from this bug.

With the core updates now available on auto-update there’s no excuse for not updating (no more download, extract, upload via FTP).

Of course with its history, this doesn’t mean you are safe from any of the other exploits that haven’t been made public.

Source: The Register

Posted in: Exploits/Vulnerabilities, Web Hacking

, , , , , , ,


Latest Posts:


Acunetix Vulnerability Scanner For Linux Now Available Acunetix Vulnerability Scanner For Linux Now Available
Acunetix Vulnerability Scanner For Linux is now available, now you get all of the functionality of Acunetix, with all of the dependability of Linux.
Gerix WiFi Cracker - Wireless 802.11 Hacking Tool With GUI Gerix WiFi Cracker – Wireless 802.11 Hacking Tool With GUI
Gerix WiFi cracker is an easy to use Wireless 802.11 Hacking Tool with a GUI, it was originally made to run on BackTrack and this version has been updated for Kali (2018.1).
Malcom - Malware Communication Analyzer Malcom – Malware Communication Analyzer
Malcom is a Malware Communication Analyzer designed to analyze a system's network communication using graphical representations of network traffic.
WepAttack - WLAN 802.11 WEP Key Hacking Tool WepAttack – WLAN 802.11 WEP Key Hacking Tool
WepAttack is a WLAN open source Linux WEP key hacking tool for breaking 802.11 WEP keys using a wordlist based dictionary attack.
Eraser - Windows Secure Erase Hard Drive Wiper Eraser – Windows Secure Erase Hard Drive Wiper
Eraser is a hard drive wiper for Windows which allows you to run a secure erase and completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns.
Insecure software versions are a problem Web Security Stats Show XSS & Outdated Software Are Major Problems
Netsparker just published some anonymized Web Security Stats about the security vulnerabilities their online solution identified on their users’ web applications and web services during the last 3 years.


6 Responses to WordPress 2.8.3 Admin Reset Exploit

  1. GZero August 12, 2009 at 12:32 pm #

    Of course, this only effectivly locks the admin out when he doesn’t have access to his e-mail address. Or his DB.

    Interesting bug. Clever use of PHP’s get/post array notation, but can’t really be considered exploitable to any serious extend.

  2. cbrp1r8 August 12, 2009 at 3:30 pm #

    wordpress…..again…..at least this part of the article was mildly humerous….

    “The bigger point he and other observers seem to make is that PHP is the coding equivalent of an everyman

  3. Kevin Korb August 12, 2009 at 5:35 pm #

    @cbrp1r8

    I’ll agree and disagree with your comment. PHP does provide the tools to easily soar indeed. It DOES provide the means to check for buildings etc, however it doesn’t enforce, or require you to use them.

    You can write crappy code in any language and leave yourself open for attack. Just because PHP lets you get the ball rolling very quickly, doesn’t mean it’s inferior.

    I do shutter everytime I have to dive into the wordpress code though. It’s far from elegant and you’d think with the adoption that it has it would be better.

  4. Brad Kelley August 12, 2009 at 6:28 pm #

    I’m not tracking. Which account is it resetting the password on? In my blogs I have the default admin account deleted, so just curious. Can’t tell by a cursory inspection of the code.

  5. free August 12, 2009 at 7:01 pm #

    rather annoying exploit, especially if you dont have direct access to the db.
    good thing they already fixed it .

  6. dozaaaar August 13, 2009 at 4:46 am #

    This attack vector bypasses the empty() checks but does not yeild an empty string as the value in the WHERE clause, rather it yeilds the string ‘Array’…therefore NOT A PROBLEM.