Medium severity6.5NVD Advisory· Published Oct 3, 2017· Updated Jun 17, 2026
CVE-2017-14990
CVE-2017-14990
Description
WordPress 4.8.2 stores cleartext wp_signups.activation_key values (but stores the analogous wp_users.user_activation_key values as hashes), which might make it easier for remote attackers to hijack unactivated user accounts by leveraging database read access (such as access gained through an unspecified SQL injection vulnerability).
Affected products
4cpe:2.3:a:wordpress:wordpress:4.8.2:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:wordpress:wordpress:4.8.2:*:*:*:*:*:*:*
- (no CPE)range: <=4.8.2
Patches
Vulnerability mechanics
References
3- core.trac.wordpress.org/ticket/38474nvdExploitIssue TrackingThird Party Advisory
- www.securitytracker.com/id/1039554nvdThird Party AdvisoryVDB Entry
- www.debian.org/security/2017/dsa-3997nvdThird Party Advisory
News mentions
0No linked articles in our index yet.