http://bugzilla.novell.com/show_bug.cgi?id=533543 Summary: WordPress vulnerability allows remote admin password reset Classification: openSUSE Product: openSUSE.org Version: unspecified Platform: Other OS/Version: Other Status: NEW Severity: Critical Priority: P5 - None Component: Wiki AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: javier@opensuse.org QAContact: adrian@novell.com Found By: --- User-Agent: Mozilla/5.0 (compatible; Konqueror/4.3; Linux) KHTML/4.3.0 (like Gecko) SUSE Today I have noticed that Lizards has WordPress 2.8.3. There's a known vulnerability in that version. "A vulnerability in the current 2.8.3 release of the popular WordPress blogging software can be exploited remotely via a web browser to temporarily lock out administrators. The cause of the issue is an error in the web-based password reset function. Normally when a password reset is requested, the user would be sent a link to their registered email address. Once the link is clicked, the old WordPress password is removed and a new one is generated which is again sent by email." Source: http://www.heise.de/english/newsticker/news/143358 Reproducible: Always Steps to Reproduce: 1. 2. 3. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.