user_activation_key is not hashed

Viewing 3 replies - 1 through 3 (of 3 total)
  • Moderator James Huff

    (@macmanx)

    That’s normal. user_pass and user_activation_key *are* both hashed, but not the entire table.

    There is one tiny exception. Once the user_activation_key is used, it’s removed, and of course this blank value is not hashed.

    Thread Starter trosenthal

    (@trosenthal)

    This is normal? There is a major security flaw here. I just tested a registration of a user and their password is showing in the user_activation_key column. Further more, when they reset their password, the link to reset has their old password right in the URL!

    Moderator James Huff

    (@macmanx)

    I just tested a registration of a user and their password is showing in the user_activation_key column.

    Hm, I just tested this myself, and if I give them a password (so I know what it is), user_activation_key is blank as it should be.

    Further more, when they reset their password, the link to reset has their old password right in the URL!

    Further more, when I reset the password, the link *does not* contain the old password in the URL, it doesn’t even contain the activation key.

    My tests were run on a fresh installation of WordPress 4.8 with no plugins using the Twenty Seventeen theme, which leads me to believe that you have a plugin interfering, probably one that interacts with Users, possibly Ultimate Member based on your support history.

    Can you reproduce the same on a fresh installation of WordPress 4.8 with no plugins?

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘user_activation_key is not hashed’ is closed to new replies.