(Context-dependent) CVSS 3.1 Score Estimate: ~4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) Verdict: Not a traditional vulnerability, but a design weakness that violates cryptographic best practices for sensitive activation tokens.
The primary risk is . An attacker could monitor the wp_signups table for new, unactivated registrations, steal the cleartext activation_key , and complete the registration process themselves. This allows them to effectively "steal" the account before the rightful owner has a chance to log in for the first time. Status Across WordPress Versions (Context-dependent) CVSS 3
Because the wp_signups key is stored in plain text, any attacker who gains even to the database—for instance, through a separate SQL injection vulnerability—can see these keys and activate accounts before the legitimate owner does. Risk Assessment: Why It Matters steal the cleartext activation_key
