Acunetix DAST powers runtime capabilities for Invicti’s complete AppSec platform. Visit Invicti for more.

WEB APPLICATION VULNERABILITIES Standard & Premium

WordPress 2.8.3 Admin Password Reset Security Bypass Vulnerability (0.6.2 - 2.8.3)

Description

WordPress is prone to a security bypass vulnerability because it fails to adequately restrict access to the password reset feature. An attacker can exploit this issue to reset the administrator password of the application. Repeated attacks may allow the attacker to cause persistent Denial of Service conditions. WordPress version 2.8.3 is vulnerable; prior versions may also be affected.

Remediation

Update to WordPress version 2.8.4 or latest

References

http://archives.neohapsis.com/archives/fulldisclosure/2009-08/0114.html

http://blog.sucuri.net/2009/08/wordpress-2-8-3-remote-admin-reset-password.html

http://packetstormsecurity.org/files/view/80258/wordpress-adminreset.txt

http://secunia.com/advisories/36237

Related Vulnerabilities

Moodle Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2014-7836)

PHP Other Vulnerability (CVE-2007-2369)

IBM RTC Improper Restriction of XML External Entity Reference Vulnerability (CVE-2016-0284)

Atlassian Jira Exposure of Resource to Wrong Sphere Vulnerability (CVE-2021-39127)

WordPress Plugin 10Web Social Feed for Instagram Multiple Cross-Site Scripting Vulnerabilities (1.3.0)

Severity

High

Classification

CVE-2009-2762 CWE-255 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Tags

Missing Update Authentication Bypass