Back to search
CVE-2017-14990
Published: Oct 2, 2017
Modified: Aug 5, 2024
PUBLISHED
Description
WordPress 4.8.2 stores cleartext wp_signups.activation_key values (but stores the analogous wp_users.user_activation_key values as hashes), which might make it easier for remote attackers to hijack unactivated user accounts by leveraging database read access (such as access gained through an unspecified SQL injection vulnerability).
| Vendor | Product | Versions |
|---|---|---|
n/a | n/a | affected n/a |
References
DSA-3997
vendor-advisory
x_refsource_DEBIAN
1039554
vdb-entry
x_refsource_SECTRACK
https://core.trac.wordpress.org/ticket/38474
x_refsource_MISC
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now