If you allow your reader for open registration on your blog then you must upgrade your blog to WordPress 2.6.2. From security point of view it’s mandatory to upgrade WP to next level Stefan Esser recently warned developers of the dangers of SQL Column Truncation and the weakness of mt_rand().
With open registration enabled, it is possible in WordPress versions 2.6.1 and earlier to craft a username such that it will allow resetting another user’s password to a randomly generated password. The randomly generated password is not disclosed to the attacker, so this problem by itself is annoying but not a security exploit. However, this attack coupled with a weakness in the random number seeding in mt_rand() could be used to predict the randomly generated password.
3rd Anniversary Celebration
Get Rewarded for Asking Questions
What You Expect From New Digg 4?
Who The Hell is Frank Kern?
Is Your Blog Ready for New facebook Search Engine?
Analyse Your Posts for Search Engines Keywords with ScribeSEO
Automate SEO Linking of Your WordPress Blog
10 Deadly Business Mistakes You Should Avoid
Tweet and Win Full Pack of 10 WordPress Premium Themes
Do You Believe These Overnight Success Formulas are Scams?
{ 5 comments… read them below or add one }
I just created a post about this new update from Wordpress.
Paul Us last blog post..Wordpress 2.6.2 now available
I had open registration in one of my blogs but I disabled it now. It’s WP 2.6. But I opened it only for my friend to register as a contributor.
Wordpress is comming out with too many upgrades too fast
ZK@WebTrafficROIs last blog post..4 Tips to write effective Title Tags to increase conversions
This was critical from security point of view, so as soon as they realize the vulnerability they come up with a solution in 2.6.2
Woah, this is the first time I’ve read about this. I typically avoid upgrading for a long time…basically until a cool new plugin comes around but I’ll have to upgrade now.