First of all thanks for the wonderful plugin – it’s really flexible and allows me to customise login pages in any way I want!
However, I noticed a huge security issue… With the User Moderation module active, when I was testing user registration out, much to my horror, I noticed my password being stored as plain text in the wp_usermeta database! Digging into the code for user-moderation.php module, I found this:
// Temporarily save plaintext pass
if ( isset( $_POST['user_pass'] ) )
update_user_meta( $user_id, 'user_pass', $_POST['user_pass'] );
Could I just ask what is the reason behind this? I understand this plaintext password is removed from the database after the user confirms their email, but is there a real justification for needing to store the user’s password in usermeta, and as plain text as well??
I’m really concerned about this issue.. And I’m just going to remove that line from that file first…