[Secure-testing-team] [Secure-testing-commits] r12566 - data/CVE
Michael S. Gilbert
michael.s.gilbert at gmail.com
Wed Aug 12 05:03:27 UTC 2009
On Wed, 12 Aug 2009 06:20:25 +0200 Giuseppe Iuculano wrote:
> Michael S. Gilbert ha scritto:
>
> > although, the question is, what can the attacker do once they have
> > access to a wordpress account?
>
> Note that attacker do not have access to a wordpress account, he can only send
> the reset password in admin email.
if the attacker can send a password reset request, they can then change
the password, right? or does that just send an email back to the valid
user? if that's the case, then yes, the worst is that someone could do
is cause some annoyance by generating those mails.
note that fedora pushed updates for this today, so they must consider
it to be of worthwhile concern. not that we should view their opinion
as definitive, but it is more evidence that this is a real issue.
mike
More information about the Secure-testing-team
mailing list