Medium severity6.5NVD Advisory· Published Oct 3, 2017· Updated May 13, 2026

CVE-2017-14990

Description

WordPress 4.8.2 stores cleartext wp_signups.activation_key values (but stores the analogous wp_users.user_activation_key values as hashes), which might make it easier for remote attackers to hijack unactivated user accounts by leveraging database read access (such as access gained through an unspecified SQL injection vulnerability).

Affected products

WordPress/WordPress
cpe:2.3:a:wordpress:wordpress:4.8.2:*:*:*:*:*:*:*
Package: https://wordpress.org/plugins/wordpress
Debian/Debian Linux2 versions
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

core.trac.wordpress.org/ticket/38474nvdExploitIssue TrackingThird Party Advisory
www.securitytracker.com/id/1039554nvdThird Party AdvisoryVDB Entry
www.debian.org/security/2017/dsa-3997nvdThird Party Advisory

News mentions

No linked articles in our index yet.

cvss	0.423
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000