Posted 3 months ago #
I discovered that I can login to my site with any password as long I use the correct username. I don't know how long this has been going on.
I did reset my password several times without result. I also emptied cache; removed password from my browser; my operating system, etc. But I can still login with any password.
This is very worrying.
Willem
Try a different browser.
Also what plugins are you running? I can't repro this on a clean install.
Posted 3 months ago #
I just solved it by looking into my plugins. When I deactivated 'Absolutely Privacy' the problem is over.
Bizarrely, I have had that plugin for a long time.
Conclusion: The security leak seems to be in 'Absolutely Privacy'
What is the official method to report such a leak?
Usually by doing what you did: http://wordpress.org/tags/absolute-privacy?forum_id=10 lists other people having the same problem.
You can also email plugins[at]wordpress.org to report it.
The plugin has been patched as of version 2.0.6 to fix this vulnerability.
You must log in to post.
