Crack Rule

It is possible to reset the admin password in all versions of wordpress up to and including the most recent version 2.8.3.
This information comes from a milw0rm exploit.

So, the jist is you can simply go to:

http://domain.example/wp-login.php?action=rp&key[]=

and it’ll reset the admin password. milw0rm didn’t supply a patch, but thankfully the internet is awesome and pzero from reddit pointed me to the fix:
Open wp-login.php and goto line 190 (assuming WP 2.8.3, or for earlier versions line 169) and replace this line:
with
Have fun patching your systems peeps. If (and only if) you’re running 2.8.3 you can download a fixed wp-login.php. If you’re running a lower version, you’ll have to edit the file manually. Please backup your wp-login.php before changing it, my file might cause unforeseen problems otherwise.
UPDATE: wordpress have now released 2.8.4 which fixes this issue. Upgrade now.
Here are some screenshots showing exactly how it works:
- just press enter and then…
but with the patch in place, wordpress is no longer vulnerable to this password reset attack:
To those of you wondering what the consequences are:

• Annoyance.
• Inconvenience.
• Admin lock-out, if a script was set up to repeatedly generate new passwords.
• Admin lock-out, if admin no longer has access to their “admin” email address.
• Resource consumption.
• Email flood.

So, while it’s not as serious as a revealed password would be, there are some serious potential consequences.