Theme My Login
[resolved] Password being stored in wp_usermeta upon registration? (2 posts)

  1. Irvin Lim
    Posted 3 years ago #

    Hi Jeff,

    First of all thanks for the wonderful plugin - it's really flexible and allows me to customise login pages in any way I want!

    However, I noticed a huge security issue... With the User Moderation module active, when I was testing user registration out, much to my horror, I noticed my password being stored as plain text in the wp_usermeta database! Digging into the code for user-moderation.php module, I found this:

    // Temporarily save plaintext pass
    if ( isset( $_POST['user_pass'] ) )
    update_user_meta( $user_id, 'user_pass', $_POST['user_pass'] );

    Could I just ask what is the reason behind this? I understand this plaintext password is removed from the database after the user confirms their email, but is there a real justification for needing to store the user's password in usermeta, and as plain text as well??

    I'm really concerned about this issue.. And I'm just going to remove that line from that file first...


  2. Jeff Farthing
    Plugin Author

    Posted 3 years ago #

    Yes. When you enable Custom Passwords, the password needs to be saved in order to send it out in the welcome email once the user activates their account.

Topic Closed

This topic has been closed to new replies.

About this Plugin

  • Theme My Login
  • Frequently Asked Questions
  • Support Threads
  • Reviews

About this Topic