Storing passwords in plain text is insecure.
-
This was in a thread a year ago, and marked as resolved and closed, but the plugin still stores the user’s password in plaintext in the user_meta table before they are verified. This is a major security risk. Please advise a solution, and make a change in the next version.
“First off–I love this plugin. Did everything I wanted to do with my site’s login area in a few clicks and it was clear. Seriously–a great thing.
The plugin (sometimes?) stores passwords in plaintext to send the right notification emails, however. In my case, this is a security problem, especially since users are entering their passwords upfront before they receive verification emails etc. It would really suck to have my site leak a user’s default pass along with their email, which is totally a possibility if my site were compromised.
The field is stored_user_password in the wp_user_meta table. I’ve commented out/edited the appropriate lines in my copy of the plugin, but thought I’d bring this to your attention as it struck me as a serious bug for any larger site that would be running this code…
http://wordpress.org/extend/plugins/register-plus-redux/”
- The topic ‘Storing passwords in plain text is insecure.’ is closed to new replies.