WordPress 2.6.2 s the latest release less than a month after WordPress 2.6.1. Looks like another minor upgrade and is recommended if you allow open registration on your blog.
With open registration enabled, it is possible in WordPress versions 2.6.1 and earlier to craft a username such that it will allow resetting another user’s password to a randomly generated password. Its not a security threat as the randomly generated password is not disclosed to the attacker but its a problem by itself which is annoying. However, this attack coupled with a weakness in the random number seeding in mt_rand() could be used to predict the randomly generated password. Stefan Esser will release details of the complete attack shortly. The attack is difficult to accomplish, but its mere possibility means we recommend upgrading to 2.6.2.
Other PHP apps are susceptible to this class of attack. To protect all of your apps, grab the latest version of Suhosin. If you’ve already updated Suhosin, your WordPress is protected.
WordPress 2.6.2 also contains a handful of bug fixes. Check out the full changeset and list of changed files.
I have just updated my blog and will do the same on the others I own too….
Wordpress Themes…
I have been using WordPress for about 2 years now. All this time, I left it to WordPress default settings to get my latest blog post updated with the major blog directories and blog search engines….