Core - All Known Versions - Cleartext Storage Of Wp_signups.activation_key — Wordpress

: When a new user registers (primarily on WordPress Multisite installations), the activation key is stored in cleartext . This key is what the user clicks in their "Confirm your account" email.

Critics often argue that if an attacker has read access to the database, the site is already compromised. While true regarding site integrity, the impact of this vulnerability is credential reuse and identity theft .

When resending an activation email, generate a new key and overwrite the old one.

| Scenario | Impact | |----------|--------| | on a multisite install | Attacker reads pending activation keys → activates accounts without permission. | | Backup exposure (e.g., unsecured .sql file) | All historical activation keys exposed → dormant user accounts compromised. | | Malicious admin with read-only DB access | Harvests keys to escalate privileges (e.g., activate an admin signup). | | Insider threat / developer with DB access | Plaintext keys immediately usable. | : When a new user registers (primarily on

This is classified as a severity vulnerability with a CVSS score of 5.3 .

Account hijacking. An attacker can use a retrieved cleartext key to activate and take control of unactivated user accounts before the legitimate user does.

WordPress Security Team should treat this as a hardening priority for future Core releases. Implementing password-style hashing for activation keys is a low-effort, high-reward change that closes a persistent security gap. While true regarding site integrity, the impact of

This is most relevant for Multisite installations , where the wp_signups table is actively used to manage pending registrations for both users and new sites. Comparison of Storage Mechanisms

Medium/High (Context-Dependent) Status: Unpatched/By Design (All known versions up to current release) Component: User Registration / WordPress Multi-site (WP_MS)

: While this specific key storage issue persists, running the latest versions of WordPress and PHP (8.1+) ensures that other weak hashing algorithms (like legacy MD5) are replaced with modern standards like Argon2 or bcrypt, reducing the overall attack surface. | | Backup exposure (e

This vulnerability, tracked as , involves the storage of sensitive activation tokens in a way that could lead to unauthorized account takeovers. The Core Vulnerability: Cleartext vs. Hashed Keys

If the registration involves an existing user being added to a new site, or if the attacker registers a username identical to an existing administrator on a different network site (depending on configuration), the potential for privilege escalation is high. Even for new users, hijacking an account allows the attacker to bypass email verification checks, often a gating mechanism for permissions.