CVE-2017-14990
N/A
N/A
Summary
WordPress 4.8.2 stores cleartext wp_signups.activation_key values (but stores the analogous wp_users.user_activation_key values as hashes), which might make it easier for remote attackers to hijack unactivated user accounts by leveraging database read access (such as access gained through an unspecified SQL injection vulnerability).
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| n/a | n/a | n/a | affected |
Weaknesses
- n/a
ADP Enrichment
CVE Program Container
Additional References
- https://www.debian.org/security/2017/dsa-3997
- http://www.securitytracker.com/id/1039554
- https://core.trac.wordpress.org/ticket/38474
References
- https://www.debian.org/security/2017/dsa-3997
- http://www.securitytracker.com/id/1039554
- https://core.trac.wordpress.org/ticket/38474
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.