WordPress 2.6.2

WordPress 2.6.2 is released on Sep 8, 2008 and this release is to fix the dangers of SQL Column Truncation and the weakness of mt_rand() warned by Stefan Esser. An upgrade should be performed immediately if you allow open registration on your blog. If you don’t upgrade to 2.6.2 from 2.6.1 and earlier, it is possible to craft a username such that it will allow resetting another user’s password to a randomly generated password with open registration enabled.

With the unpatched version of blog you are running, the randomly generated password is not disclosed to the attacker and it is not a security exploit but it is annoyance. Nevertheless, an easy prediction to the randomly generated password could be achieve by this attack coupled with a weakness in the random number seeding in mt_rand(). A detail of the complete attack will be released by Stefan Esser shortly. This attack is difficult to accomplish but it is advisable to upgrade to 2.6.2 to prevent the possibility of passwords being randomized if your blog allow open user registration.

You can checkout the handful of bug fixes for 2.6.2 and also the full changeset and list of changed files.

Source: WordPress