user_activation_key is not hashed in the database
|Reported by:||harrym||Owned by:||nacin|
WordPress 3.5.2 does not hash user_activation_key in the database. user_activation_key is a one-time password generated and used during the password reset process.
In combination with another vulnerability that reveals database fields, this value can be used to set a new password for a user account, bypassing the need to extract and brute-force password hashes.
To address this issue, user_activation_key should be hashed in the database, as passwords are.
[NB: I have not attached a patch because the core team have already agreed that they will target a fix for 3.7]
Change History (7)
- Summary changed from WordPress does not hash user_activation_key in the database to user_activation_key is not hashed in the database
- Keywords has-patch added
- Milestone changed from Awaiting Review to 3.7