WordPress, the popular blogging software platform, has been updated to fix a flaw that could have enabled a hacker to change an administrator password.
The bug enables a specially crafted URL to evade a password reset security verification check, Matt Mullenweg, founding developer of WordPress, said Wednesday on the organization’s blog.
“As a result, the first account without a key in the database (usually the admin account) would have its password reset and a new password would be emailed to the account owner,” he said.
While annoying, the flaw would not permit a hacker to remotely access the blog’s back-end — unless they had access to the admin’s email account to retrieve the password.
Considering its large code base, which could contain a variety of vulnerabilities, this was a relatively mild incident, Maxim Weinstein, manager of StopBadware.org at the Berkman Center for Internet and Society at Harvard University, told SCMagazineUS.com Wednesday
“Unlike previous vulnerabilities that essentially enabled modification of contents, this one did not seem quite as bad,” he said. “There have been vulnerabilities in WordPress that have let people exploit those vulnerabilities to inject new content or execute code at the server level, sometimes used to create drive-by downloads.”
WordPress does a credible job of responding to reported vulnerabilities and patching, but users are not always as vigilant, Weinstein said.
“WordPress has streamlined the update process,” he said. “The problem is that users do not always know that they have to keep updated”
In light of the sizeable target, hackers are unlikely to scale back on efforts to compromise the software platform.
“This should serve as notification to WordPress developers that security has to be front of mind with every bit of code they write,” Weinstein said. “They need to find ways to integrate security into all their development and testing processes.”