WordPress 2.8.4 is out, and it is yet another security release. Matt Mullenweg describes the issue like this:
Yesterday a vulnerability was discovered: a specially crafted URL could be requested that would allow an attacker to bypass a security check to verify a user requested a password reset. As a result, the first account without a key in the database (usually the admin account) would have its password reset and a new password would be emailed to the account owner. This doesn’t allow remote access, but it is very annoying.
As always you can upgrade automatically from within your admin interface, or download from wordpress.org.
Update: The WordPress MU 2.8.4 version is out too. Download or upgrade automatically.
Author: Thord Daniel Hedengren
Thord Daniel Hedengren is a designer, writer, and blogger, and also the former editor of The Blog Herald. He used to be a hotshot in the gaming industry in Sweden, but sold everything and went International. Most recently he wrote a book called Smashing WordPress: Beyond the Blog, and does loads of kickass design.
