Description
WordPress 4.8.2 stores cleartext wp_signups.activation_key values (but stores the analogous wp_users.user_activation_key values as hashes), which might make it easier for remote attackers to hijack unactivated user accounts by leveraging database read access (such as access gained through an unspecified SQL injection vulnerability).
Remediation
References
Related Vulnerabilities
WordPress Plugin WP SVG images Cross-Site Scripting (3.3)
Joomla Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2023-23750)
WordPress Plugin WP Photo Album 'photo' Parameter SQL Injection (1.0)
WordPress Plugin W3 Total Cache Multiple Unspecified Vulnerabilities (0.9.5.1)
WordPress Plugin GiveWP-Donation and Fundraising Platform Information Disclosure (2.20.2)