CVE-2017-14990
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2017-14990
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-14990.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2017-14990
- Downstream
- Published
- 2017-10-03T01:29:03Z
- Modified
- 2025-10-13T04:33:37Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- [none]
- Details
-
WordPress 4.8.2 stores cleartext wpsignups.activationkey values (but stores the analogous wpusers.useractivation_key values as hashes), which might make it easier for remote attackers to hijack unactivated user accounts by leveraging database read access (such as access gained through an unspecified SQL injection vulnerability).
- References
Affected packages
Git / github.com/wordpress/wordpress
Affected ranges
- Type
- GIT
- Repo
- https://github.com/wordpress/wordpress
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedLast affected
- Type
- GIT
- Repo
- https://github.com/wordpress/wordpress-develop
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedLast affected