WordPress Login Bug, Enables Third-Parties To Receive Security Tokens. When exploited can reveal account security tokens to other websites. The administrators of the image hosting site will then have the capability to log in as the WordPress.com sites owner as a result of the bug. This happens without the WordPress site notifying them to enter a valid username and password, as the security token provides the identity that the WordPress.com site will accept as valid. The bug was described as the web admin who chose to use a 3rd party. hosting site, that site receives the. WordPress security token the moment the iOS app was used to edit the site.”]
Source: https://hackercombat.com/wordpress-login-bug-enables-third-parties-to-receive-security-tokens/