[wp-trac] [WordPress Trac] #24783: WordPress does not hash user_activation_key in the database
WordPress Trac
noreply at wordpress.org
Wed Jul 17 10:26:28 UTC 2013
#24783: WordPress does not hash user_activation_key in the database
-------------------------+-----------------------------
Reporter: harrym | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Users | Version: trunk
Severity: normal | Keywords:
-------------------------+-----------------------------
WordPress 3.5.2 does not hash user_activation_key in the database.
user_activation_key is a one-time password generated and used during the
password reset process.
In combination with another vulnerability that reveals database fields,
this value can be used to set a new password for a user account, bypassing
the need to extract and brute-force password hashes.
To address this issue, user_activation_key should be hashed in the
database, as passwords are.
[NB: I have not attached a patch because the core team have already agreed
that they will target a fix for 3.7]
--
Ticket URL: <http://core.trac.wordpress.org/ticket/24783>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list