As Zhu was looking for privacy options in WordPress, she found that it didn’t encrypt the browser cookie, but rather sent it over HTTP in plaintext. After logging out of her account, she pasted her “wordpress logged in” cookie into a new browser and eventually was able to log into WordPress without inputting her log-in information.
Once in, Zhu could view private posts, pose as the accountholder to comment on other posts and peruse blog statistics. In an update to her blog, Zhu wrote that the flaw could be leveraged to set up two-factor authentication and block users from their accounts.
WordPress has since taken steps to address the flaw.