Passwords changing without permission

[samh]

Hi

Does anyone know of an exploit that changes a user password without permission? Currently I'm notice it change back to their original password

We're using 3.0.1 - too many plugins to list!

Cheers for any help

Sam

[Jeffro]

Can't say I've read or heard anything on this. There was an issue back in the 2.8 days where someone could request a users password be changed which was more of an annoyance rather than a security issue.

http://wordpress.org/news/2009/08/2-...urity-release/

Doesn't sound related.

[andrea_r]

Original passwords aren't stored anywhere though.

[samh]

We have upgraded from 2.8.x to the current version - we went through 2.9 to get there but never actually used 2.9

So far it's only happened with one user, so we're not panicking just yet....but we don't of course want there to actually be an underlying problem that could affect everyone else

[andrea_r]

If it's one user, I'd be inclined to chalk it up to user error.

Like I sad above *nothing* stores the original password. If they were mid-way through a password reset, I could see it happening, but again - user error.

If it happens to another user, then I'd start looking at plugins.

[Jeffro]

Last night, I received an email that someone requested that my password be changed. In the email sent by WordPress, I had the choice of clicking a link where a new password would be sent or doing nothing which wouldn't have changed my password.

I didn't request my password to be changed so I ignored the email. However, that's how the process works.

[andrea_r]

But from the issue the OP is describing, the OP makes it sound as if that process is actually completed, then at some point, reverts.

[Ipstenu]

Might it be a DB rollback? Is anything else reverting?

[samh]

I'm not aware of anything else reverting Ipstenu - I suppose I could check this by changing my own password and seeing if that ever reverts

I'll keep you posted! Cheers guys