Further investigation shows that correcting the stdClass array access
does not fully resolve the problem.
After changing:
$row['activation_key']
$row['signup_id']
to object access, the fatal no longer occurs, but the user is still not
created.
The call to wpmu_activate_signup() returns:
expired_key
Invalid key
For example:
root@web2:~# runuser -u www-data -- wp db query "
SELECT
signup_id,
user_login,
user_email,
registered,
activated,
active,
activation_key,
meta
FROM wp_signups
ORDER BY registered DESC;
" --path=/usr/share/wordpress
PHP Warning: Undefined array key "HTTP_HOST" in
phar:///usr/local/bin/wp/vendor/wp-cli/wp-cli/php/WP_CLI/Runner.php(1334)
: eval()'d code on line 10
signup_id user_login user_email registered activated
active activation_key meta
4 testuser4 [email protected] 2026-06-16
01:36:41 0000-00-00 00:00:00 0
1781573801:$P$BxtQL25BC9z9l4e5zaK5VZlU9xkF8o1
a:2:{s:11:"add_to_blog";i:1;s:8:"new_role";s:10:"subscriber";}
3 testuser3 [email protected] 2026-06-16
01:09:37 0000-00-00
00:00:00 0
1781572177:$P$Ba8H1ph.D2fsdaYhgEP.GkpFAsey06.a:2:{s:11:"add_to_blog";i:1;s:8:"new_role";s:10:"subscriber";}
2 testuser2 [email protected] 2026-06-16
00:48:28 0000-00-00 00:00:00 0
1781570908:$P$BwBKwX5zVA/Um37UbDA.Vl/k04Vor3/
a:2:{s:11:"add_to_blog";i:1;s:8:"new_role";s:10:"subscriber";}
1 testuser1 [email protected] 2026-06-15
23:36:08 0000-00-00 00:00:00 0
1781566568:$P$B0kP7yFpwhQlDfbkvrKCqN0PIrZHQy0
a:2:{s:11:"add_to_blog";i:1;s:8:"new_role";s:10:"subscriber";}
root@web2:~# runuser -u www-data -- wp eval '
global $wpdb;
$row = $wpdb->get_row(
"SELECT signup_id, activation_key
FROM {$wpdb->signups}
WHERE user_login = '\''testuser4'\''"
);
$result = wpmu_activate_signup(
$row->activation_key,
$row->signup_id
);
if ( is_wp_error( $result ) ) {
echo $result->get_error_code() . PHP_EOL;
echo $result->get_error_message() . PHP_EOL;
} else {
var_dump( $result );
}
' --url=web2.site01.arc --path=/usr/share/wordpress
expired_key
Invalid key
The corresponding row remains in wp_signups with:
active = 0
activated = 0000-00-00 00:00:00
and no user is added to wp_users.
The activation_key stored in wp_signups has the timestamped hashed
form:
<timestamp>:$P$<hash>
The patched wp-admin/user-new.php retrieves this stored value and
passes it to wpmu_activate_signup(). The patched activation function
then rejects it because the supplied value exactly matches the stored
activation_key.
Despite the failed activation, the admin interface displays:
"User has been added to your site."
Therefore, the original stdClass fatal is only the first visible
failure. The same workflow also leaves a pending signup, does not
create the user, and displays a misleading success message.
In terms of a patch for this then, I'm not sure which way to go. I
haven't looked deeply into the history of the debian patch....
the patch alters 4 files:
wp-activate.php
wp-admin/user-new.php
wp-includes/ms-default-filters.php
wp-includes/ms-functions.php
So this patch is in context to an Upstream WordPress ticket #38474 that
identified that anyone with read access to the database could retrieve
unused activation links directly. Debian carries that proposed upstream
patch as a security fix for CVE-2017-14990.
So likely both ms-functions.php and user-new.php will need quite a few
modifications....
