WordPress 2.6.2 was released due to a weakness that has been discovered in something known as mt_rand(). WordPress 2.6.2 is a critical release for those of you who allow open registration on your blog. Here is the reason why:
With open registration enabled, it is possible in WordPress versions 2.6.1 and earlier to craft a username such that it will allow resetting another user’s password to a randomly generated password. The randomly generated password is not disclosed to the attacker, so this problem by itself is annoying but not a security exploit. However, this attack coupled with a weakness in the random number seeding in mt_rand() could be used to predict the randomly generated password.
Along with this critical fix, 2.6.2 is an interim release and therefor contains a few other bug fixes as well such as images that were always inserted into a post at full size, RSS widget linking if there isn’t a link, and the inability to control where a user redirects to when they log in. You can view the rest of the bug fixes here (Fixed Bugs In 2.6.2).
I have already upgraded my blog without a problem!
The issue regarding too many upgrades per year for WordPress is something that is worthy of discussion. However, in this case, the vulnerability is not tied to WordPress itself rather, it lies within that rand function. This vulnerability actually effects just about every PHP script out there that allows open registration.
Just as we get used to one version… 😉
Knowing that, I shall have to upgrade all my blogs again. I am thinking to install automatic upgrading plug-in now because it is always better to press a button and everything will occur without much hassle. Anyhow, don’t you think that WordPress is issuing upgrades too fast? They should release some stable version, like for 6 months or so. I think Linux has such rules and it is very successful thing.
Thanks for the reminder. I`ve been slacking and only got round to updating a few from the v2.5`s.