There is a new and powerful exploit in the wild. I wrote a fix for it and it is working.
I am getting a bunch of system multicall hits on a test site. Each is about 160 name/password pairs. I captured the requests and tested them against some test sites and they actually do 160 login attempts at a time. When I set one of them to a real id/password it reports back that that combo was successful.
I am thinking of writing a simple blocker for these attempts for people who do not have the beta test of my plugin.
The alternative to this is to commit the current beta to WordPress, but I don’t really want to do that. I do not have time right now to deal with the flood of support messages that will come when people figure out that I have changed something and the plugin behaves differently.
For anyone reading this – If you have not downloaded a beta version in a while, now is the time to do it.