6.5

CVE-2017-14990

Exploit

WordPress Core - All Known Versions - Cleartext Storage of wp_signups.activation_key

WordPress 4.8.2 stores cleartext wp_signups.activation_key values (but stores the analogous wp_users.user_activation_key values as hashes), which might make it easier for remote attackers to hijack unactivated user accounts by leveraging database read access (such as access gained through an unspecified SQL injection vulnerability).
Mögliche Gegenmaßnahme
WordPress: No known patch available. Review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance.
Weitere Schwachstelleninformationen
SystemWordPress Core
Produkt WordPress
Version *
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
WordpressWordpress Version4.8.2
DebianDebian Linux Version8.0
DebianDebian Linux Version9.0
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.4% 0.6
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 6.5 2.8 3.6
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov 4 8 2.9
AV:N/AC:L/Au:S/C:P/I:N/A:N
CWE-312 Cleartext Storage of Sensitive Information

The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

http://www.securitytracker.com/id/1039554
Third Party Advisory
VDB Entry
https://core.trac.wordpress.org/ticket/38474
Third Party Advisory
Exploit
Issue Tracking