Plugin stores users password in clear text | WordPress.org

alexboerescu
(@alexboerescu)

6 years ago

Hi guys,

Why did you mark this topic as resolved?

In the latest version (2.1.5), the plugin still stores the user’s password in clear text in the USERMETA table as the value of the single_user_password key… This happens if you use the ootb UM account page to update your profile – the password you provide to authenticate yourself gets stored in the DB…

Please look into this ASAP as it’s a major security flaw.

Viewing 3 replies - 1 through 3 (of 3 total)

Thread Starter alexboerescu
(@alexboerescu)

6 years ago

The account page that I was mentioning has this short code: [ultimatemember_account]
There’s no way to modify it from wp admin…

justdave
(@justdave)

6 years ago

I don’t have anything with a ‘single_user_password’ key in my usermeta table.
nexcc
(@nexcc)

5 years, 8 months ago
Yes, it has, even in the latest update (2.1.7).

When you export user personal data, you can see all members password in plain text at the column meta title called “single_user_password”.

These passwords are those who reset it after login, I would say about 30% of the passwords are open to administrator’s eyes.

This issue was unresolved for many years, you can see the topic owner posted 3 years ago in another topic.

I would love to use this plugin in my another websites, but due to security reason, I backed off.

Kindly please resolve it asap. Thank you!
- This reply was modified 5 years, 8 months ago by nexcc.
- This reply was modified 5 years, 8 months ago by nexcc.

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Plugin stores users password in clear text’ is closed to new replies.

Tags

password

3 replies
3 participants
Last reply from: nexcc
Last activity: 5 years, 8 months ago
Status: not resolved