CVE-2009-2762

Name of the Vulnerable Software and Affected Versions WordPress versions 2.8.3 and earlier

Description The issue allows remote attackers to force a password reset for the first user in the database, possibly the administrator. This is achieved by exploiting the wp-login.php file, where a key[] array variable in a resetpass (aka rp) action bypasses a check that assumes that $key is not an array.

Recommendations For WordPress versions 2.8.3 and earlier, update to a version later than 2.8.3 to resolve the issue. As a temporary workaround, consider restricting access to the wp-login.php file to minimize the risk of exploitation.