Known to WordPress security team since at least 2013 (Trac tickets #21342, #27817). Classified as “won’t fix” due to architectural constraints.
Store activation_key_hash (e.g., sha256 ) instead of plaintext. The activation link would still contain the plaintext key; WordPress would hash the incoming key and compare against the stored hash. Known to WordPress security team since at least