[wp-hackers] Hashing user_activation_key in the database

Andrew Nacin wp at andrewnacin.com
Thu Jun 13 18:38:45 UTC 2013

On Thu, Jun 13, 2013 at 7:05 AM, Harry Metcalfe <harry at dxw.com> wrote:

> Hello all,
> During a recent penetration test, the tester found an SQL injection in a
> plugin. He used that injection to identify an administrative account, then
> requested a password reset using the form, and then used the injection to
> retrieve the user_activation_key. Because the key is not hashed, he was
> able to immediately log in, without having to spend any time trying to
> break the password hash.
> [...]
> What do people (and in particular, core committers) think about this? Is a
> sensible patch likely to be accepted?

I think the security team (a superset of the core committers) would have
some pretty interesting opinions on this. In the future, is best to email
security at wordpress.org to get initial feedback before posting to a public
forum. We'll thank you for responsibly starting a private communication
with us and direct you to a public forum as appropriate.

I would suggest that, while it is not a bad idea, such a vulnerability
could always be used to change the user's hash. Of course, there are
situations where a vulnerability will only result in reading data, not
writing it. Again, security at wordpress.org in the future please, thanks.


More information about the wp-hackers mailing list