WordPress <= 2.8.3 Reset Admin Password Vulnerability

An exploit has been released for all current versions of WordPress including WordPress <= 2.8.3.
Laurent Gaffié who published the finding says:

          An attacker could exploit this vulnerability to compromise the admin
          account of any wordpress/wordpress-mu <= 2.8.3

From what I can tell the vulnerability allows an attacker to reset the admin user account without having a valid email address. This could certainly be used in a denial of service vulnerability, locking an admin out their site by continually changing the password.

You can change any admin password on any WordPress blog as follows (taken from exploit):

http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key[]=

I’ve tested this and it does change the admin password, however, I haven’t looked at this for some time but I believe WordPress generates a fairly strong password after being reset, something an attacker would have difficulty brute forcing or guessing.

BlogSecurity has recommended before that the /wp-admin/* directory should be password protected or restricted to IP address. This would mitigate this problem.