For those still using 2.7.1
-
Make sure to patch your version manually.
wp-login.php: is_string() used in this code versus empty().
185 function reset_password($key, $login) {
186 global $wpdb, $current_site;
187
188 $key = preg_replace('/[^a-z0-9]/i', '', $key);
189
190 if ( empty( $key ) || !is_string( $key ) )
191 return new WP_Error('invalid_key', __('Invalid key'));
192
193 if ( empty($login) || !is_string($login) )
194 return new WP_Error('invalid_key', __('Invalid key'));
Slashdot:
http://it.slashdot.org/story/09/08/12/1353211/WordPress-Exploit-Allows-Admin-Password-Reset
Online downloads of both regular and mu contain the fix.
- The topic ‘For those still using 2.7.1’ is closed to new replies.