https://security.dxw.com/advisories/wordpress-signups-activation/
WordPress does not hash or expire wp_signups.activation_key allowing an attacker with SQL injection to create accounts | dxwsecurity Vulnerability
When creating new users with a confirmation email, the key for that confirmation email is stored in plain text, and never expires. This means that when there are users who have been created who haven’t followed the link in their
Source: Security Feed