wordpress core - all known versions - cleartext storage of wp_signups.activation_keywordpress core - all known versions - cleartext storage of wp_signups.activation_key
NEW RELEASE

THE 5 TYPES OF WEALTH LIFE PLANNER

This interactive companion to the New York Times bestselling book The 5 Types of Wealth will help you define your priorities and achieve true wealth for a happier, more fulfilled life.

Order NowLearn More

Turn the book into action—order the interactive Life Planner companion today!

Preorder the companion Life Planner today!

wordpress core - all known versions - cleartext storage of wp_signups.activation_key
wordpress core - all known versions - cleartext storage of wp_signups.activation_key

Wordpress Core - All Known Versions - Cleartext Storage Of Wp_signups.activation_key [extra Quality] Today

: While this specific key storage issue persists, running the latest versions of WordPress and PHP (8.1+) ensures that other weak hashing algorithms (like legacy MD5) are replaced with modern standards like Argon2 or bcrypt, reducing the overall attack surface.

Store activation_key_hash (e.g., sha256 ) instead of plaintext. The activation link would still contain the plaintext key; WordPress would hash the incoming key and compare against the stored hash.

An attacker leverages a separate vulnerability (like a plugin SQLi) to read the database.

(Context-dependent) CVSS 3.1 Score Estimate: ~4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) Verdict: Not a traditional vulnerability, but a design weakness that violates cryptographic best practices for sensitive activation tokens.