Greetings Patrick,
Thanks for your input -- and your participation here overall, for that matter.
Quote from: AMDbuilder at Nov 29, 2012, 11:07 AMThere is always the possibility
I just did a diff on the old vs new (patched) forgot password plugin, and reading through it, what I see (mirroring Jay's forum post and the version readme) is that the fix filtered an input, and also prevented users who had been blocked for any reason from unblocking themselves.
I'm not seeing a vector for login access to unauthorized individuals other than those who were unauthorized because they were blocked. As I have no blocked users with a working password, it seems that no passwords would need to be changed. Wonder if you -- or anyone else -- sees it similarly.
Again -- if it was just me on one site, I'd just do the PW change, but because it's a large collection of clients, I'd like to think it through before I go through the process of asking them to go through password changes if necessary. As I read it, disabling the plugin has completely closed the door even if someone had hypothetically tried the exploit before door closing. Any thoughts?