If you have allowed open registration for your blog readers, you might want to consider upgrading to the latest version of WordPress – 2.6.2. This new release of WordPress fixes some vulnerabilities and exploits which can be used by attackers.
Here is what WordPress blog says about this exploit :-
With open registration enabled, it is possible in WordPress versions 2.6.1 and earlier to craft a username such that it will allow resetting another user’s password to a randomly generated password. The randomly generated password is not disclosed to the attacker, so this problem by itself is annoying but not a security exploit. However, this attack coupled with a weakness in the random number seeding in mt_rand() could be used to predict the randomly generated password.
Some other bug fixes include:-
- Images that were always inserted into a post at full size
- RSS widget linking if there isn’t a link
- Inability to control where a user redirects to when they log in
- Include mysql version in version check query string
For more information, check out the release post.
If you are already using WordPress 2.6.1, you can save time by just downloading a zip archive of 12 files that you have to replace in order to upgrade to 2.6.2. Go here and scroll right down to the bottom of the page and click on “Zip Archives”.