The hack is called "admin takeover exploit" Developers of the widely used WordPress blogging software have released an update that fixes a vulnerability that let attackers take over accounts by resetting the administrator password. The bug in version 2.8.3 is trivial to exploit remotely using nothing more than a web browser and a specially manipulated link. Typically, requests to reset a password are handled using a registered email address. Using the special URL, the old password is removed and a new one generated in its place with no confirmation required, according to this alert published on the Full-Disclosure mailing list. The flaw lurks in some of the PHP code that fails to properly scrutinize user input when the password reset feature is invoked. Exploiting it is as easy is directing a web browser to a link that looks something like: I actually saw the alert as it was published on Full-Disclosure, obviously anything to do with Wordpress catches my attention. The exploit can be executed by running the following code on a Wordpress 2.8.3 blog: Code: http://www.domain.com/wp-login.php?action=rp&key= simple but effective.