Description

WordPress 4.8.2 stores cleartext wp_signups.activation_key values (but stores the analogous wp_users.user_activation_key values as hashes), which might make it easier for remote attackers to hijack unactivated user accounts by leveraging database read access (such as access gained through an unspecified SQL injection vulnerability).

Remediation

References

CVE-2017-14990

Related Vulnerabilities

WordPress Plugin 123devis-affiliation Cross-Site Scripting (1.0.4)

WordPress Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Vulnerability (CVE-2008-0194)

Jenkins Missing Authorization Vulnerability (CVE-2019-10354)

WordPress Plugin WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) Unspecified Vulnerability (7.2)

PrestaShop Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2020-6632)

Severity

Medium

Classification

CVE-2017-14990 CWE-312 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Missing Update Known Vulnerabilities