Description

WordPress 4.8.2 stores cleartext wp_signups.activation_key values (but stores the analogous wp_users.user_activation_key values as hashes), which might make it easier for remote attackers to hijack unactivated user accounts by leveraging database read access (such as access gained through an unspecified SQL injection vulnerability).

Remediation

References

CVE-2017-14990

Related Vulnerabilities

Python Uncontrolled Resource Consumption Vulnerability (CVE-2022-48564)

IBM WebSEAL Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2017-1476)

WordPress Permissions, Privileges, and Access Controls Vulnerability (CVE-2009-2854)

MyBB Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2013-7275)

Squid Uncontrolled Resource Consumption Vulnerability (CVE-2021-46784)

Severity

Medium

Classification

CVE-2017-14990 CWE-312 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Missing Update Known Vulnerabilities