The process involves:
If the registration involves an existing user being added to a new site, or if the attacker registers a username identical to an existing administrator on a different network site (depending on configuration), the potential for privilege escalation is high. Even for new users, hijacking an account allows the attacker to bypass email verification checks, often a gating mechanism for permissions. The process involves: If the registration involves an
Critics often argue that if an attacker has read access to the database, the site is already compromised. While true regarding site integrity, the impact of this vulnerability is credential reuse and identity theft . While true regarding site integrity, the impact of
WordPress Security Team should treat this as a hardening priority for future Core releases. Implementing password-style hashing for activation keys is a low-effort, high-reward change that closes a persistent security gap. Every version of WordPress Core up to the current release
Every version of WordPress Core up to the current release.