A vulnerability has been discovered in WordPress Content Management System (CMS), which could allow an attacker to take control of the affected system. WordPress is an open source CMS for websites.
Successful exploitation of the vulnerability could result in an attacker resetting the administrator password and gaining complete control of the WordPress blog. Depending on the privileges gained, an attacker could install extensions; view, change, or delete data; or create new accounts with full user rights.
All versions of WordPress
A vulnerability has been identified in WordPress CMS that could allow for an attacker to take control of the blog. Due to a deficiency in CSPRNG (Cryptographically Secure Pseudo Random Number Generator), an attacker can predict the password reset token of an administrator to reset the administrator password and access sensitive information; deface the site; install extensions; view, change, or delete data; or create new accounts with full user rights.
We recommend the following actions be taken:
- Update vulnerable systems running WordPress immediately after appropriate testing.
- Review and follow WordPress hardening guidelines - http://codex.wordpress.org/Hardening_WordPress
- Confirm that the operating system and all other applications on the system running this CMS are updated with the most recent patches.
- Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.