WordPress vulnerability: Remote admin password reset

Today, a way was presented how to reset an admin’s password of a WordPress installation, by just calling http://domain.dom/wp-login.php?action=rp&key[]=

So please, as long as there is no official release fixing this problem, apply this changeset to your wp-login.php.

Simply change line 190 in wp-login.php to

    if ( empty( $key ) || is_array( $key ) )

Then the “arraytrick” does not work anymore. The trick was, that after bypassing if (empty($key)), the database is queried for all users having a blank user_activation_key field. This is true for all users by default (except for those, who have recently ordered an activation key for password reset). Hence, the database simply returns the first user, whose user_activation_key is empty. His password then is reset. This user is likely the admin, because he is the first user in the table.


The changeset named above is not the only change the WordPress developers made. As we can see from changeset 11800 and changeset 11801, the password reset is only done when the key is actually a string and the user calling the “reset password URL” is logged in. Both modifications are already branched, so you can take this wp-login.php or wait for the next official release.


The official update to WordPress 2.8.4 is released! Update now!