wp_signups.activation_key stored in cleartext – inconsistent with wp_users.user_activation_key

[misoksimin]

Currently, the activation_key stored in the wp_signups table is saved in cleartext, unlike the user_activation_key in the wp_users table, which is hashed using wp_hash_password().

This inconsistency introduces a security weakness, particularly in multisite setups. An attacker who gains read access to the database (e.g., via SQL injection or misconfigured permissions) could:

Read cleartext activation keys from wp_signups

Use them to fraudulently activate unconfirmed user accounts

This issue becomes more critical when:

The site is open for public registration (multisite with signups enabled)

The database is exposed through any plugin or access misconfiguration

💡 Proposed Change:
Update the signup activation logic to hash the activation_key before saving it in wp_signups, and modify the corresponding activation flow to use wp_check_password() when comparing the key.

This will:

Align with existing security practices used in wp_users

Mitigate the risk of account hijacking through leaked or accessed cleartext keys

[yashjawale]

Activation key stored in wp_users table

[yashjawale]

Activation key stored in wp_signups table

[yashjawale]

Welcome to trac @misoksimin & thanks for submitting the ticket 🙌

I can confirm that activation_key in wp_signups is saved in cleartext format, contrary to them being stored as hashes in wp_users table. As visible in the attachments above.

I'll be happy to work on a patch that fixes this so when core committers see this issue a solution is already underway...

[johnbillion]

Thanks for the report @misoksimin.

This issue is already being worked on in #38474. If you'd like to review the approach there that would be a great help!