WordPress.org

Support

Support » How-To and Troubleshooting » Lingering 2.8.4 Password Vulnerability (sorta)

Lingering 2.8.4 Password Vulnerability (sorta)

  • Hey all,

    I upgraded all of my sites to 2.8.4 awhile back, and this was supposed to solve the password vulnerability problem. Here’s the thing…

    This morning I awoke to find a notification from one of my sites that someone had requested a password reset. That was immediately followed by an e-mail saying that the password had been reset, though it didn’t actually include a new password.

    Curious, I logged in (I typed the url directly, didn’t follow the link in the e-mail) and found that my original password still works. Once I was logged in, however, I was greeted by a message saying that I was using an auto-generated password, and asking if I wanted to change it.

    Has anyone seen anything like this?

    Thanks!

    A few notes:
    – The e-mail address and domain have nothing in common, so this doesn’t appear to be a case of social engineering
    – The link included in the original e-mail is legit (I viewed the source)
    – I ended up resetting the password myself and all of the e-mails looked identical to what I originally received

  • The topic ‘Lingering 2.8.4 Password Vulnerability (sorta)’ is closed to new replies.