It's Not A Takover. It's An Annoyance.
Sk1dd3s can force a password reset on the admin account.
They can't actually take the blog over, just make it a pain to access.
I'll wait until the "less panicked" release comes out...
This story was updated to correct details of the bug. It allows attackers to reset passwords, but not take over accounts. Developers of the widely used WordPress blogging software have released an update that fixes a vulnerability that let attackers reset the administrator password. The bug in version 2.8.3 is trivial to …
You can cause a password reset for the administrator which results in the password being reset and the administrator being sent an email with the new password. Unless the attacker has access to the admin's email 9in which case they could do a normal password reset anyways) this isn't an issue. Why this is a problem is if people continually reset a blogs password they can effectively lock the administrator out.
Unless they have that then its not going to help them, and has been pointed out it only allows them to force a reset on the password, it doesn't give them access to the account due to the two part process needed to reset a password on WordPress.
And its fixed already and WP (and WPMU) have update checking in them so people will start to get notifications that they need to upgrade.
So not the huge disaster you tried to paint it as.
Biting the hand that feeds IT © 1998–2019