5.1 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:H/Au:N/C:P/I:P/A:P
0.014 Low
EPSS
Percentile
86.3%
The Wordpress development team reports:
With open registration enabled, it is possible in WordPress
versions 2.6.1 and earlier to craft a username such that it
will allow resetting another users password to a randomly
generated password. The randomly generated password is not
disclosed to the attacker, so this problem by itself is annoying
but not a security exploit. However, this attack coupled with a
weakness in the random number seeding in mt_rand() could be used
to predict the randomly generated password.