[wp-trac] [WordPress Trac] #38474: wp_signups.activation_key stores activation keys in plain text
WordPress Trac
noreply at wordpress.org
Thu Oct 12 12:50:17 UTC 2017
#38474: wp_signups.activation_key stores activation keys in plain text
-------------------------+------------------------
Reporter: tomdxw | Owner: bor0
Type: enhancement | Status: assigned
Priority: normal | Milestone: 5.0
Component: Security | Version: 4.6.1
Severity: normal | Resolution:
Keywords: has-patch | Focuses: multisite
-------------------------+------------------------
Comment (by tomdxw):
@bor0:
The wp_users.user_activation_key field includes a timestamp, and by
default the activation link expires after 24 hours. This means that if
somebody receives an activation email but they forget about it, and then
an attacker gains access to their email days or weeks later, the attacker
doesn't have instant access to the site.
https://github.com/WordPress/WordPress/blob/2ad86e1e82722d8cdae17ff10e34672c8e6ab93a
/wp-includes/user.php#L2195-L2196
https://github.com/WordPress/WordPress/blob/2ad86e1e82722d8cdae17ff10e34672c8e6ab93a
/wp-includes/user.php#L2248-L2271
I think it would be appropriate to use a timestamp here also.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/38474#comment:14>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list