Lingering 2.8.4 Password Vulnerability (sorta) | WordPress.org

nickel
(@nickel)

14 years, 7 months ago

Hey all,

I upgraded all of my sites to 2.8.4 awhile back, and this was supposed to solve the password vulnerability problem. Here’s the thing…

This morning I awoke to find a notification from one of my sites that someone had requested a password reset. That was immediately followed by an e-mail saying that the password had been reset, though it didn’t actually include a new password.

Curious, I logged in (I typed the url directly, didn’t follow the link in the e-mail) and found that my original password still works. Once I was logged in, however, I was greeted by a message saying that I was using an auto-generated password, and asking if I wanted to change it.

Has anyone seen anything like this?

Thanks!

A few notes:
– The e-mail address and domain have nothing in common, so this doesn’t appear to be a case of social engineering
– The link included in the original e-mail is legit (I viewed the source)
– I ended up resetting the password myself and all of the e-mails looked identical to what I originally received

The topic ‘Lingering 2.8.4 Password Vulnerability (sorta)’ is closed to new replies.

In: Fixing WordPress
0 replies
1 participant
Last reply from: nickel
Last activity: 14 years, 7 months ago
Status: not resolved

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics