The scenario is like this: you go to leave a comment on someone’s site, and surreptitiously that (evil) site tricks you into changing your WordPress admin password and emailing it to the evil site owner by clicking what appears to be a comment submission button.

WordPress guards against CSRF attacks in general by confirming actions that don’t seem quite right (i.e. when the nonces don’t check out), but this attack hides all of the confirmation message except the approval button, which appears to be part of the evil site’s comment form.

It’s very easy to imagine how this could be targeted at a user’s blog by using the URL the user enters in an evil site’s comment form. I’ve submitted a suggested solution as a WordPress Trac ticket.

How can you avoid this attack for now? Don’t stay logged in to your WordPress blog when not necessary, and change the default username (or blog under another username with just “author” permissions, and keep “admin” just for occasional site maintenance).

UPDATE: My patch has been committed to both development WordPress and the 2.3 branch, so this issue should be taken care of in the next security release.