Vulnerability in authentication state machines allows for an attacker to bypass account security, allowing for server authentication without providing a password.
All versions of: Ascent, TrinityCore 3.x, MaNGOS, CMaNGOS, and all known forks.
World of Warcraft uses the SRP6 cryptographic algorithm to authenticate with servers without requiring the user's password to be sent over the Internet (in plaintext or as a hash).
Although the specific details of SRP6 are outside of the scope of this write-up, the integrity of this process requires that the server holds 'secret' values that the client cannot guess. Only by deriving its own SRP6 values from the user's password can it prove itself to the server.