WordPress 3.5.2 does not hash user_activation_key in the database

Vulnerability

Last revised: July 17, 2013

WordPress 3.5.2 does not hash user_activation_key in the database. user_activation_key is a one-time password generated and used during the password reset process.

In combination with another vulnerability that reveals database fields, this value can be used to set a new password for a user account, bypassing the need to extract and brute-force password hashes.

Current state: Reported

CVSS Summary

CVSS base scores for this vulnerability
Score	4.3 Medium
Vector	Network
Complexity	Medium
Authentication	None
Confidentiality	Partial
Integrity	None
Availability	None

You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

N/A

Advisory timeline

Mitigation/further actions

We investigated hashing this value with a plugin, but the hooks that would be required are not available.

The issue has been reported to WordPress’s developers, and will be addressed in version 3.7.

dxw advisories

Advisory: