An attacker may be able to take full control of one by clicking heres that uses the platform WordPress due to the lack of the cryptographically secure pseudorandom number generator (CSPRNG).
CSPRNG is a mechanism that produces random numbers on a computer, which can be applied for cryptographic purposes, such as the production of keys or salts. The numbers are pseudo-random because a really random series can only be produced on a theoretical level.
The WordPress bug was discovered by Scott Arciszewski, a web developer from Orlando, Florida. He has already informed WordPress technicians about the need to implement a CSPRNG mechanism in the platform, in order to eliminate even the slightest possibility that someone could guess the link used to reset the codes. access.
Anyone who succeeds will be able to violate all WorrdPress that exist on the web. However, there is currently no available method.
Arciszewski says he tried several times to bring the issue to the attention of WordPress technicians. First time on June 25, 2014, by opening a ticket on the issue in the platform tracker. The next time was during duration of WordCamp in Orlando, a conference focused on the WordPress platform.
A published by the researcher which fully reveals her vulnerability, also has a patch created by him, which has not yet been integrated into WordPress.
Patch available with unit tests and PHP 5.2 on Windows support at https://core.trac.wordpress.org/attachment/ticket/28633/28633.3.patch
Remember that WordPress is used by 75 million websites on the internet. Nevertheless, this vulnerability requires a lot of knowledge and skills, which discourages many would-be hackers.