Today we received a security notice:

Affected package: wordpress-2.8.2,1
Type of problem: wordpress — remote admin password reset vulnerability.
Description:
WordPress reports:

A specially crafted URL could be requested that would allow an attacker to bypass a security check to verify a user requested a password reset. As a result, the first account without a key in the database (usually the admin account) would have its password reset and a new password would be emailed to the account owner.

References:

• URL: <http://wordpress.org/development/2009/08/2-8-4-security-release/>
• URL: <http://www.milw0rm.com/exploits/9410>

Affects:

• wordpress <2.8.4,1
• de-wordpress <2.8.4
• wordpress-mu <2.8.4a

Our installations of WordPress and WordPress-MU have been updated.

In addition, a review of our logs revealed several hack attempts using admin_topic_action_logging.php. Apparently some IBM systems are vulnerable to this exploit. The offending IPs have been banned from our server.