An attacker may be able to take full control of a website that uses the platform WordPress due to lack of cryptographically secure pseudorandom number generator (CSPRNG).
CSPRNG is a mechanism that produces random numbers on a computer, which can be applied for cryptographic purposes, such as the production of keys or salts. The numbers are pseudo-random because a really random series can only be produced on a theoretical level.
The WordPress bug was discovered by Scott Arciszewski, a web developer from Orlando, Florida. He has already informed the WordPress engineers of the need to implement a CSPRNG mechanism in the platform, in order to eliminate even the slightest possibility that someone could predict the link used for the reset of the codes access.
Anyone who succeeds will be able to violate all WorrdPress that exist on the web. However, there is currently no available method.
Arciszewski says he has often tried to bring the issue to the attention of WorPress's technicians. 25 2014 for the first time in XNUMX, opening a ticket for the topic on the platform tracker. The next time was during WordCamp in Orlando, a conference that focused on WorPress platform.
A published by the researcher which completely reveals the vulnerability, also has a patch created by itself, which has not yet been integrated into WordPress.
Patch available with unit tests and PHP 5.2 on Windows support at https://core.trac.wordpress.org/attachment/ticket/28633/28633.3.patch
Remember that WordPress is used by 75 millions websites on the Internet. Nevertheless, this particular vulnerability requires a lot of knowledge and skills, which discourages many would-be hackers.