[wp-trac] [WordPress Trac] #63573: wp_signups.activation_key stored in cleartext – inconsistent with wp_users.user_activation_key
WordPress Trac
noreply at wordpress.org
Mon Jun 16 08:54:07 UTC 2025
#63573: wp_signups.activation_key stored in cleartext – inconsistent with
wp_users.user_activation_key
--------------------------+-----------------------------
Reporter: misoksimin | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version:
Severity: normal | Keywords:
Focuses: |
--------------------------+-----------------------------
Currently, the activation_key stored in the wp_signups table is saved in
cleartext, unlike the user_activation_key in the wp_users table, which is
hashed using wp_hash_password().
This inconsistency introduces a security weakness, particularly in
multisite setups. An attacker who gains read access to the database (e.g.,
via SQL injection or misconfigured permissions) could:
Read cleartext activation keys from wp_signups
Use them to fraudulently activate unconfirmed user accounts
This issue becomes more critical when:
The site is open for public registration (multisite with signups enabled)
The database is exposed through any plugin or access misconfiguration
💡 Proposed Change:
Update the signup activation logic to hash the activation_key before
saving it in wp_signups, and modify the corresponding activation flow to
use wp_check_password() when comparing the key.
This will:
Align with existing security practices used in wp_users
Mitigate the risk of account hijacking through leaked or accessed
cleartext keys
--
Ticket URL: <https://core.trac.wordpress.org/ticket/63573>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list