WordPress does not hash or expire wp_signups.activation_key allowing an attacker with SQL injection to create accounts


Last revised:

When creating new users with a confirmation email, the key for that confirmation email is stored in plain text, and never expires. This means that when there are users who have been created who haven’t followed the link in their confirmation emails (common in installations with lots of users), an attacker with access to a read-only SQLi vulnerability can immediately create a user account for themselves.

wp_users.user_activation_key is hashed and contains a timestamp. wp_signups.activation_key should include these security features too.

This issue was originally raised as a ticket in Trac.

Current state: Reported

CVSS Summary

CVSS base scores for this vulnerability
Score 0 Low
Vector Local
Complexity High
Authentication Multiple
Confidentiality None
Integrity None
Availability None
You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

  1. Visit /wp-admin/user-new.php (on a multisite installation – I haven’t tested on single site)
  2. Fill out the “Add New User” form but do not check the “Skip Confirmation Email” checkbox
  3. The user will be sent an email containing a link to /wp-activate.php?key=7259c714857ef009

This key is stored in the database unencrypted and without a timestamp:

mysql> select activation_key from wp_signups where signup_id=4;
| activation_key   |
| 7259c714857ef009 |
1 row in set (0.00 sec)

Advisory timeline

  • 2016-10-24: Opened Trac ticket
  • 2017-10-02: Requested CVE
  • 2017-10-02: Received CVE

Mitigation/further actions

Regularly purge old entries from the wp_signups table.