An attacker may be able to take complete control of a website that uses the platform WordPress due to lack of cryptographically ax pseudorandom number generator (CSPRNG).
CSPRNG is a mechanism that generates random numbers on a computer, which can be applied for cryptographic purposes such as partreatment keys or salts. The numbers are pseudorandom because a truly random sequence can only be produced at a theoretical level.
Το σφάλμα στο WοrdPress ανακαλύφθηκε από τον Scott Arciszewski, έναν Web προγραμματιστή από το Orlando της Florida. Έχει ενημερώσει ήδη τους τεχνικούς της WοrdPress για την ανάγκη της applicationς ενός μηχανισμού CSPRNG στην πλατφόρμα, προκειμένου να εξαλειφθεί ακόμη και την παραμικρή πιθανότητα να μπορεί κάποιος να προβλέψει το link που χρησιμοποιείται για την reset of the codes accesss.
Anyone who succeeds will be able to violate all WorrdPress that exist on the web. However, there is currently no available method.
Arciszewski says he tried several times to bring the issue to the attention of WordPress technicians. First time on June 25, 2014, by opening a ticket on the matter to Tracker of the platform. The next time was during duration of WordCamp in Orlando, a conference focused on the WordPress platform.
A published by the researcher which fully reveals the vulnerability, also has one patch created by him, which has not yet been integrated into WordPress.
Patch available with unit tests and PHP 5.2 on Windows support at https://core.trac.wordpress.org/attachment/ticket/28633/28633.3.patch
Remember that WordPress is used by 75 million websites in Internet. Nevertheless, this particular vulnerability requires a lot of knowledge and skills, which discourages many would-be hackers.