CVE-2017-14990
Last modified
CVE-2017-14990 is a vulnerability of currently unknown severity. WordPress 4.8.2 stores cleartext wp_signups.activation_key values (but stores the analogous wp_users.user_activation_key values as hashes), which might make it easier for remote attackers to hijack unactivated user accounts by leveraging database read access (such as access gained through an unspecified SQL injection vulnerability).. EPSS estimates a 1.76% chance of exploitation in the next 30 days.
Description
WordPress 4.8.2 stores cleartext wp_signups.activation_key values (but stores the analogous wp_users.user_activation_key values as hashes), which might make it easier for remote attackers to hijack unactivated user accounts by leveraging database read access (such as access gained through an unspecified SQL injection vulnerability).
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Wordpress | Wordpress | 4.8.2 |
| Debian | Debian Linux | 8.0 |
| Debian | Debian Linux | 9.0 |
References
- http://www.securitytracker.com/id/1039554Third Party Advisory, VDB Entry
- https://core.trac.wordpress.org/ticket/38474Exploit, Issue Tracking, Third Party Advisory
- https://www.debian.org/security/2017/dsa-3997Third Party Advisory
- http://www.securitytracker.com/id/1039554Third Party Advisory, VDB Entry
- https://core.trac.wordpress.org/ticket/38474Exploit, Issue Tracking, Third Party Advisory
- https://www.debian.org/security/2017/dsa-3997Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2017-14990?
How severe is CVE-2017-14990?
How do I fix CVE-2017-14990?
Are you affected by CVE-2017-14990?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST