Description
wp-login.php in WordPress 2.8.3 and earlier allows remote attackers to force a password reset for the first user in the database, possibly the administrator, via a key[] array variable in a resetpass (aka rp) action, which bypasses a check that assumes that $key is not an array.
Remediation
References
Related Vulnerabilities
WordPress Plugin WooCommerce Salesforce Integration Cross-Site Scripting (1.5.8)
WordPress Plugin Yahoo! Updates for WordPress Multiple Cross-Site Scripting Vulnerabilities (1.0)
Next.js URL Redirection to Untrusted Site ('Open Redirect') Vulnerability (CVE-2021-37699)
WordPress Plugin WP w3all phpBB Multiple Unspecified Vulnerabilities (1.6.3)