Wordpress Core - All Known Versions - Cleartext Storage Of Wp_signups.activation_key -

This review addresses a long-standing architectural oversight in the WordPress Core database schema, specifically regarding the wp_signups table utilized during the user registration process (predominantly in WordPress Multisite). The vulnerability involves the storage of the activation_key in cleartext (plain text) rather than a cryptographic hash.

: If you use Multisite, ensure that registrations are strictly moderated or that the time window for activation is kept short. decrypt on use.

Technical Analysis: Cleartext Storage of wp_signups.activation_key in WordPress Core decrypt on use.

The process involves:

Use a site-specific key (e.g., wp_salt ) to encrypt the activation key before storage, decrypt on use. decrypt on use.