CVE Vulnerabilities

CVE-2017-14990

Cleartext Storage of Sensitive Information

Published: Oct 03, 2017 | Modified: Apr 20, 2025
CVSS 3.x
6.5
MEDIUM
Source:
NVD
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVSS 2.x
4 MEDIUM
AV:N/AC:L/Au:S/C:P/I:N/A:N
RedHat/V2
RedHat/V3
Ubuntu
LOW

WordPress 4.8.2 stores cleartext wp_signups.activation_key values (but stores the analogous wp_users.user_activation_key values as hashes), which might make it easier for remote attackers to hijack unactivated user accounts by leveraging database read access (such as access gained through an unspecified SQL injection vulnerability).

Weakness

The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

Affected Software

Name Vendor Start Version End Version
Wordpress Wordpress 4.8.2 (including) 4.8.2 (including)
Wordpress Ubuntu esm-apps/xenial *
Wordpress Ubuntu trusty *
Wordpress Ubuntu upstream *
Wordpress Ubuntu xenial *
Wordpress Ubuntu zesty *

Potential Mitigations

References