Advisory:

WordPress does not hash or expire wp_signups.activation_key allowing an attacker with SQL injection to create accounts

Vulnerability

Last revised:

When creating new users with a confirmation email, the key for that confirmation email is stored in plain text, and never expires. This means that when there are users who have been created who haven’t followed the link in their confirmation emails (common in installations with lots of users), an attacker with access to a read-only SQLi vulnerability can immediately create a user account for themselves.

wp_users.user_activation_key is hashed and contains a timestamp. wp_signups.activation_key should include these security features too.

This issue was originally raised as a ticket in Trac.

Current state: Reported

Proof of concept

  1. Visit /wp-admin/user-new.php (on a multisite installation – I haven’t tested on single site)
  2. Fill out the “Add New User” form but do not check the “Skip Confirmation Email” checkbox
  3. The user will be sent an email containing a link to /wp-activate.php?key=7259c714857ef009

This key is stored in the database unencrypted and without a timestamp:

mysql> select activation_key from wp_signups where signup_id=4;
+------------------+
| activation_key   |
+------------------+
| 7259c714857ef009 |
+------------------+
1 row in set (0.00 sec)

Advisory timeline

  • 2016-10-24: Opened Trac ticket
  • 2017-10-02: Requested CVE
  • 2017-10-02: Received CVE

Mitigation/further actions

Regularly purge old entries from the wp_signups table.