It reflects a legacy design trade-off (simplicity over encryption) that lags behind modern expectations for credential storage. In isolation, the risk is low because DB read access is already catastrophic. However, for compliance-heavy or high-value multisite networks, it should be addressed by defense-in-depth (short TTLs, table cleanup, encrypted backups).
: When an existing user resets their password, the activation key generated is stored as a hash . If a database leak occurs, an attacker cannot immediately use the stored value to reset the password.
The primary risk is . An attacker could monitor the wp_signups table for new, unactivated registrations, steal the cleartext activation_key , and complete the registration process themselves. This allows them to effectively "steal" the account before the rightful owner has a chance to log in for the first time. Status Across WordPress Versions