[Plugin: Register Plus] Bug: User verification can be dodged using 'Lost password' (1 post)

  1. Mark
    Posted 6 years ago #

    I'm using the 'admin verification' method to vet all new registrations. However, I found that new users can simply get around this by taking the following steps:
    (1) Register a new account
    (2) Try to login. This doesn't work because you haven't received the password email yet.
    (3) Click 'lost your password?', fill in email, and wait for password mail to arrive. This mail includes the username (something like unverified__e795g4md) and a generated password!
    (4) E voilá, login.

    This seems to me to be quite a serious bug. Unverified email adresses shouldn't be able to request their password.


Topic Closed

This topic has been closed to new replies.

About this Topic