今晚回来发现2.8.4开始通过后台推送了,到各个友链去看了看,基本上都是这条消息作为头条。
下面是官方的更新说明:
Yesterday a vulnerability was discovered: a specially crafted URL could be requested that would allow an attacker to bypass a security check to verify a user requested a password reset. As a result, the first account without a key in the database (usually the admin account) would have its password reset and a new password would be emailed to the account owner. This doesn’t allow remote access, but it is very annoying.
We fixed this problem last night and have been testing the fixes and looking for other problems since then. Version 2.8.4 which fixes all known problems is now available for download and is highly recommended for all users of WordPress.
大意是,昨天在检查时发现了一个特别的url提交漏洞,可能导致用户密码被非法更改。可能导致并不需要数据库密码就能更改创始人密码,并发送到其管理邮箱。
虽然这不能导致任何远程权限,但是这是非常让人烦恼的。
昨晚我们修复了这一问题,强烈建议所有用户升级。
升级完成了,呵呵[yangcongtou::face025.gif]
我被改密码了。已经升级了。
@数数, 围观下可怜的数数