WordPress 3.5.2 does not hash user_activation_key in the database


Last revised:

WordPress 3.5.2 does not hash user_activation_key in the database. user_activation_key is a one-time password generated and used during the password reset process.

In combination with another vulnerability that reveals database fields, this value can be used to set a new password for a user account, bypassing the need to extract and brute-force password hashes.

Current state: Reported

CVSS Summary

CVSS base scores for this vulnerability
Score 4.3 Medium
Vector Network
Complexity Medium
Authentication None
Confidentiality Partial
Integrity None
Availability None
You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept


Advisory timeline

Mitigation/further actions

We investigated hashing this value with a plugin, but the hooks that would be required are not available.

The issue has been reported to WordPress’s developers, and will be addressed in version 3.7.