Yes, there is still no patch in sight of the latest WordPress Admin Password Reset exploit where anyone can reset admin password of any blog hosted on WordPress without any confirmation.
Whats the bug?
The password reset URL takes parameter with the name of key. If you pass this key as arbitrary text or empty then nothing happens and an error is displayed.
Someone really genius worked out a way to fool it and passed key which is an empty array! And the reset php page thinks it as valid and resets the password and sends out the email to the admin’s email address listed.
Whats the fix?
Open wp-login.php and goto line 190 (for WP 2.8.3) and line 169 (for earlier versions) and replace this line:
What does this mean?
This means that in addition to no value or null being passed, if some smart guy passes an array then that should also be treated as invalid.