Yes, there is still no patch in sight of the latest WordPress Admin Password Reset exploit where anyone can reset admin password of any blog hosted on WordPress without any confirmation.

Whats the bug?

The password reset URL takes parameter with the name of key. If you pass this key as arbitrary text or empty then nothing happens and an error is displayed.

Someone really genius worked out a way to fool it and passed key[] which is an empty array! And the reset php page thinks it as valid and resets the password and sends out the email to the admin’s email address listed.

Whats the fix?

Open wp-login.php and goto line 190 (for WP 2.8.3) and line 169 (for earlier versions) and replace this line:




What does this mean?

This means that in addition to no value or null being passed, if some smart guy passes an array then that should also be treated as invalid.


WordPress update 2.8.4 has been released.

Download the microsoft certification dumps to prepare and pass real exam. using itil certification dumps, not only you will reduce the exam burden but it also helps to understand test format.