This update from WordPress is very quick. But it is a very important update. Only last week i installed the new WordPress 2.8.3. This morning i was shocked to see the new update from WordPress. WordPress discovered a new bug from previous update.
This bug allows the attacker to bypass a security check, to verify a user requested a password reset. so the admin account without a key in the database would have its password reset directly. This new password would be emailed to the account owner email address.
The attackers use the below url to exploit.
and the password will be reset and send to your email id.
Yesterday a vulnerability was discovered: a specially crafted URL could be requested that would allow an attacker to bypass a security check to verify a user requested a password reset. As a result, the first account without a key in the database (usually the admin account) would have its password reset and a new password would be emailed to the account owner. This doesn’t allow remote access, but it is very annoying.
For more : Visit WordPress Blog