Wordpress Core - All Known Versions - Cleartext Storage Of Wp_signups.activation_key Access

: When an existing user resets their password, the activation key generated is stored as a hash . If a database leak occurs, an attacker cannot immediately use the stored value to reset the password.

The core code logic in wp-includes/ms-functions.php (and related user management files) performs a direct string comparison:

An attacker leverages a separate vulnerability (like a plugin SQLi) to read the database.

This is classified as a severity vulnerability with a CVSS score of 5.3 . : When an existing user resets their password,

This stands in contrast to password verification, which utilizes wp_check_password() to compare a provided string against a stored hash.

Critics often argue that if an attacker has read access to the database, the site is already compromised. While true regarding site integrity, the impact of this vulnerability is credential reuse and identity theft .

This vulnerability, tracked as , involves the storage of sensitive activation tokens in a way that could lead to unauthorized account takeovers. The Core Vulnerability: Cleartext vs. Hashed Keys This is classified as a severity vulnerability with

For all known versions of WordPress Core, a persistent security configuration exists where activation keys for new user registrations are stored as cleartext in the wp_signups database table. This differs from the wp_users table, which hashes the user_activation_key for established accounts. Vulnerability Overview

While WordPress has set a strong precedent for secure password storage by utilizing hashing algorithms (MD5 historically, bcrypt/Argon2 currently) for user credentials in the wp_users table, this security standard is not applied to the activation_key . This inconsistency creates a security gap that can be exploited by attackers with read-access to the database to hijack user accounts during the registration phase.

Store activation_key_hash (e.g., sha256 ) instead of plaintext. The activation link would still contain the plaintext key; WordPress would hash the incoming key and compare against the stored hash. While true regarding site integrity, the impact of

WordPress core developers have acknowledged this but classified it as or low priority because:

If the registration involves an existing user being added to a new site, or if the attacker registers a username identical to an existing administrator on a different network site (depending on configuration), the potential for privilege escalation is high. Even for new users, hijacking an account allows the attacker to bypass email verification checks, often a gating mechanism for permissions.