An attacker leverages a separate vulnerability (like a plugin SQLi) to read the database.

Known to WordPress security team since at least 2013 (Trac tickets #21342, #27817). Classified as “won’t fix” due to architectural constraints.

The cleartext storage of the activation_key introduces a significant risk vector, specifically categorized as .

: The vulnerability only becomes exploitable if an attacker can read your database. Use security plugins like Wordfence or All-In-One Security (AIOS) to block SQL injection attempts.

The process involves:

This stands in contrast to password verification, which utilizes wp_check_password() to compare a provided string against a stored hash.