WordPress 2.8.4 – Update Now

wordpress-logoThe folks at Automattic released a security update for WordPress today due to a very specific bug:

…a specially crafted URL could be requested that would allow an attacker to bypass a security check to verify a user requested a password reset. As a result, the first account without a key in the database (usually the admin account) would have its password reset and a new password would be emailed to the account owner.

While this isn’t an incredibly nasty bug, it does affect the admin user, which many folks use as their only point of access to the system, which is poor practice.  On my customer sites, the admin user is never actually used by anyone (except for me, and only in an emergency).  Everyone gets a user specific account and that account has the right privelidges for that user.

Click the upgrade button now, or have your web guy/gal/poodle take care of it for you.