Security: Hash wp_signups.activation_key (Trac #38474, CVE-2017-14990)

[bor0]

Fixes https://core.trac.wordpress.org/ticket/38474

Summary

• wp_signups.activation_key stored activation keys as plain text. This patches it to use the same timestamp:phpass_hash format already used by wp_users.user_activation_key (introduced in [25696]).
• Activation URLs gain a signup_id parameter so the correct row can be fetched for hash verification without a table scan.
• Legacy plain-text keys (pre-upgrade pending activations) continue to work for backwards compatibility.
• A new activate_signup_expiration filter (default: DAY_IN_SECONDS) controls key expiry.
• 9 new PHPUnit tests; one existing test fixed to work with hashed keys.

Fixes #38474. See also: https://core.trac.wordpress.org/ticket/38474

Props bor0, tomdxw, jeremyfelt, SergeyBiryukov, SirLouen, dmsnell.

Test plan

Automated (PHPUnit)

npm install
# edit .env: set LOCAL_MULTISITE=true
npm run env:start
npm run env:install

# New tests:
npm run test:php -- -c tests/phpunit/multisite.xml   --filter Tests_Multisite_wpmuActivateSignup

# Fixed regression test:
npm run test:php -- -c tests/phpunit/multisite.xml   --filter test_should_not_fail_for_data_used_by_a_deleted_user

All 9 tests should pass.

Manual

1. Hashed key in DB — Register at /wp-signup.php as a logged-out user. Check wp_signups.activation_key: should be 1700000000:$P$Bxxx…, not a plain hex string.

2. Activation link works — The email link contains both key= and signup_id=. Clicking it shows "Your account is now active!"

3. Signup ID field on form — Visit /wp-activate.php with no params. The form should show both "Activation Key" and "Signup ID" fields.

4. Wrong key rejected — Visit /wp-activate.php?key=WRONGKEY&signup_id=<valid_id>. Activation must fail.

5. Legacy key BC — Insert a row into wp_signups with a plain-text activation_key (simulates a pre-upgrade pending activation). Visiting the activation URL with that key and its signup_id should still succeed — existing pending activations must not break after upgrade.

6. Expiry — Add add_filter('activate_signup_expiration', fn() => -1) to an mu-plugin, sign up, try to activate. Must fail with an expired-key error.

🤖 Generated with Claude Code

[github-actions]

Hi there! 👋

Thank you for your contribution to WordPress! 💖

It looks like this is your first pull request to wordpress-develop. Here are a few things to be aware of that may help you out!

No one monitors this repository for new pull requests. Pull requests must be attached to a Trac ticket to be considered for inclusion in WordPress Core. To attach a pull request to a Trac ticket, please include the ticket's full URL in your pull request description.

Pull requests are never merged on GitHub. The WordPress codebase continues to be managed through the SVN repository that this GitHub repository mirrors. Please feel free to open pull requests to work on any contribution you are making.

More information about how GitHub pull requests can be used to contribute to WordPress can be found in the Core Handbook.

Please include automated tests. Including tests in your pull request is one way to help your patch be considered faster. To learn about WordPress' test suites, visit the Automated Testing page in the handbook.

If you have not had a chance, please review the Contribute with Code page in the WordPress Core Handbook.

The Developer Hub also documents the various coding standards that are followed:

• PHP Coding Standards
• CSS Coding Standards
• HTML Coding Standards
• JavaScript Coding Standards
• Accessibility Coding Standards
• Inline Documentation Standards

Thank you,
The WordPress Project

[github-actions]

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

Core Committers: Use this line as a base for the props when committing in SVN:

Props bor0.

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

[github-actions]

Test using WordPress Playground

The changes in this pull request can previewed and tested using a WordPress Playground instance.

WordPress Playground is an experimental project that creates a full WordPress instance entirely within the browser.

Some things to be aware of

• All changes will be lost when closing a tab with a Playground instance.
• All changes will be lost when refreshing the page.
• A fresh instance is created each time the link below is clicked.
• Every time this pull request is updated, a new ZIP file containing all changes is created. If changes are not reflected in the Playground instance,
  it's possible that the most recent build failed, or has not completed. Check the list of workflow runs to be sure.

For more details about these limitations and more, check out the Limitations page in the WordPress Playground documentation.

Test this pull request with WordPress Playground.