An attacker may be able to take full control of a website that uses the platform WordPress due to the lack of the cryptographically secure pseudorandom number generator (CSPRNG).
CSPRNG is a mechanism that generates random numbers in one computer, which can be applied for cryptographic purposes, such as generating keys or salts. The numbers are pseudorandom because a truly random sequence can only be produced at a theoretical level.
The error στο WοrdPress ανακαλύφθηκε από τον Scott Arciszewski, έναν Web προγραμματιστή από το Orlando της Florida. Έχει ενημερώσει ήδη τους τεχνικούς της WοrdPress για την ανάγκη της εφαρμογής ενός μηχανισμού CSPRNG στην πλατφόρμα, προκειμένου να εξαλειφθεί ακόμη και την παραμικρή πιθανότητα να μπορεί κάποιος να προβλέψει το link που χρησιμοποιείται για την reset of passwords.
Anyone who succeeds will be able to violate all WorrdPress that exist on the web. However, there is currently no available method.
Arciszewski says he has often tried to bring the issue to the attention of WorPress's technicians. 25 2014 for the first time in XNUMX, opening a ticket for the topic on the platform tracker. The next time was during WordCamp in Orlando, a conference that focused on WorPress platform.
A published by the researcher which completely reveals the vulnerability, also has a patch created by itself, which has not yet been integrated into WordPress.
Patch available with unit tests and PHP 5.2 on Windows support at https://core.trac.wordpress.org/attachment/ticket/28633/28633.3.patch
Remember that WordPress is used by 75 millions websites on the internet. Nevertheless, this particular vulnerability requires a lot of knowledge and skills, which discourages many would-be hackers.