Stefan Esser not too long ago warned builders of the risks of SQL Column Truncation and the weakness of mt_rand(). Along with his assist we labored round these issues and are actually releasing WordPress 2.6.2. In the event you permit open registration in your weblog, it is best to undoubtedly improve. With open registration enabled, it’s doable in WordPress variations 2.6.1 and earlier to craft a username such that it’s going to permit resetting one other consumer’s password to a randomly generated password. The randomly generated password shouldn’t be disclosed to the attacker, so this downside by itself is annoying however not a safety exploit. Nevertheless, this assault coupled with a weak spot within the random quantity seeding in mt_rand() might be used to foretell the randomly generated password. Stefan Esser will launch particulars of the entire assault shortly. The assault is tough to perform, however its mere chance means we advocate upgrading to 2.6.2.
Different PHP apps are prone to this class of assault. To guard all your apps, seize the latest version of Suhosin. In the event you’ve already up to date Suhosin, your current WordPress set up is already shielded from the total exploit. You need to nonetheless improve to 2.6.2 in case you permit open consumer registration in order to stop the opportunity of passwords being randomized.