Wordpress 2.8.3 Admin Password Exploit And The Fix

Note: This post is over two years old and so the information contained here might be out of date. If you do spot something please leave a comment and we will endeavour to correct.

11th August 2009 - 4 minutes read time

A small exploit has been found within the latest (currently 2.8.3) version of Wordpress that can cause any attacker to reset the admin password. The attacker won't be able to see what the password is, and the new password is emailed to you anyway, but it might cause some users to be locked out of their blogs if they can't get access to the email or their email is down. However, it is a real pain so I am writing this blog to allow other bloggers to fix their Wordpress installs.

The Problem

Wordpress allows you to reset the admin password, which some users might want to do. The normal course of events is that the admin user selects that they want to reset their password and Wordpress will email the user a link containing a key. Following this link will reset the admin password. The issue is that it is possible to recreate this link without first sending out the email, which will reset the password. Here is the URL that can be used to reset the password.

http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key[]=

I include this here so that you can make sure that the fix below has worked. Please don't try it out on other people's blogs!

The Solution

The solution is to reject activation keys that are arrays, but in case you don't follow what is going on in this trac report all you need to do is open up the file wp-login.php in the root of your blog and change line 190 from this:

if ( empty( $key ) )

To this:

if ( empty( $key ) || is_array( $key ) )

Upload the file to your site and you are done! You can check that this has fixed the issue by visiting the link above, you will see an invalid link notice.

WordPress