Source: wordpress Version: 4.8.2+dfsg-1 Severity: important Tags: upstream security Forwarded: https://core.trac.wordpress.org/ticket/38474
Hi, the following vulnerability was published for wordpress. CVE-2017-14990[0]: | WordPress 4.8.2 stores cleartext wp_signups.activation_key values (but | stores the analogous wp_users.user_activation_key values as hashes), | which might make it easier for remote attackers to hijack unactivated | user accounts by leveraging database read access (such as access gained | through an unspecified SQL injection vulnerability). If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-14990 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14990 [1] https://core.trac.wordpress.org/ticket/38474 Please adjust the affected versions in the BTS as needed. Regards, Salvatore