[wp-trac] [WordPress Trac] #38474: wp_signups.activation_key stores activation keys in plain text

WordPress Trac noreply at wordpress.org
Mon Oct 24 16:17:30 UTC 2016


#38474: wp_signups.activation_key stores activation keys in plain text
-------------------------+-----------------------------
 Reporter:  tomdxw       |      Owner:
     Type:  enhancement  |     Status:  new
 Priority:  normal       |  Milestone:  Awaiting Review
Component:  Security     |    Version:  4.6.1
 Severity:  normal       |   Keywords:
  Focuses:               |
-------------------------+-----------------------------
 == Steps

 1. Visit /wp-admin/user-new.php (on a multisite installation - I haven't
 tested on single site)
 2. Fill out the "Add New User" form but do not check the "Skip
 Confirmation Email" checkbox
 3. The user will be sent an email containing a link to /wp-
 activate.php?key=7259c714857ef009

 == Actual behaviour

 This key is stored in the database unencrypted:

 {{{
 mysql> select activation_key from wp_signups where signup_id=4;
 +------------------+
 | activation_key   |
 +------------------+
 | 7259c714857ef009 |
 +------------------+
 1 row in set (0.00 sec)
 }}}

 == Expected behaviour

 wp_users.user_activation_key contains a timestamp and a hash of the key.
 wp_signups.activation_key is no less important to security and so should
 include these security features too.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/38474>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list