Support » Plugin: User Registration & User Profile - Profile Builder » Passwordless login has a security loophole

  • virtualabode

    (@virtualabode)


    Hi

    I’ve found an issue with the passwordless login that is a major security loophole.
    As things are right now, unapproved users can access the website by requesting a passwordless login; the website will generate the link and email it to them, once clicked the link will grant them access as if they were approved.

    The username/password login correctly denies unapproved users access to both the website and the API, but both the website and the API allow unapproved users access via the passwordless login feature.

    What is your usual timeline for applying patches to plugins please?

    Many thanks
    Luke

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Author Paul Plapșa

    (@paulplapsa)

    Hello,

    I was able to replicate this issue and have submitted a bug report. You can expect a fix for it in one of the next few versions of the plugin. Unfortunately, because of the low number of users that are affected by this bug we cannot give it a very high priority so there is no ETA on the fix.

    Thank you for bringing this to our attention!

    Regards,
    Paul

    virtualabode

    (@virtualabode)

    Thank you for letting us know Paul

    HI, may I ask if this loophole has been fixed yet? I would like to use your plugin as well but security is #1 priority! tx

    Plugin Author Paul Plapșa

    (@paulplapsa)

    Hello,

    No, our development team has yet to fix this issue, but I just gave the bug report a bump up in priority. Hopefully you will see a bugfix in one of the next few versions.

    Best Regards,
    Paul

Viewing 4 replies - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.