To align with security best practices, WordPress Core should implement the following changes:
Account hijacking. An attacker can use a retrieved cleartext key to activate and take control of unactivated user accounts before the legitimate user does. To align with security best practices, WordPress Core
Critics often argue that if an attacker has read access to the database, the site is already compromised. While true regarding site integrity, the impact of this vulnerability is credential reuse and identity theft . To align with security best practices
For all known versions of WordPress Core, a persistent security configuration exists where activation keys for new user registrations are stored as cleartext in the wp_signups database table. This differs from the wp_users table, which hashes the user_activation_key for established accounts. Vulnerability Overview To align with security best practices, WordPress Core