id,summary,reporter,owner,description,type,status,priority,milestone,component,version,severity,resolution,keywords,cc,focuses 24783,user_activation_key is not hashed in the database,harrym,nacin,"WordPress 3.5.2 does not hash user_activation_key in the database. user_activation_key is a one-time password generated and used during the password reset process. In combination with another vulnerability that reveals database fields, this value can be used to set a new password for a user account, bypassing the need to extract and brute-force password hashes. To address this issue, user_activation_key should be hashed in the database, as passwords are. [NB: I have not attached a patch because the core team have already agreed that they will target a fix for 3.7] ",task (blessed),closed,normal,3.7,Users,3.6,normal,fixed,has-patch,,