[Resolved] Security issue: Unencrypted password saved into database!
Hello. This is not a question. More of a security HEADS UP for the plugin author.
Events Manager creates option_name dbem_smtp_password inside wp_options table, which stores the password added in E-mail settings -> SMTP -> SMTP password.
This is done unencrypted which really creeps me out.
Even worse is that if you leave the username and password fields empty and save, the next time you enter this page your browser will prefill these fields with your wordpress login data (if you ever allowed your browser to remember your login information). Now when you save the settings again, your wp username and password will be stored inside database unencrypted.
This prefill seems to happen even if smtp settings page is not active -> you could be using php post settings and still smtp settings would store your password and username if fields left empty.
I think the best and easiest way to fix this issue would be storing the password encrypted, which should be the way it’s done in the first place. Never ever store passwords unencrypted.
Another way would be to make sure that this smtp username and password field has nothing to do with wordpress login form, since now it seems like your browser is messing these up.
WP 3.7.1 and Events Manager 5.5.2.
OS Mavericks 10.9 / Google Chrome 31.0.1650.57
Please look into this. Otherwise it’s a great plugin so it’s a shame there’s security issue like this. Thank you.
- The topic ‘[Resolved] Security issue: Unencrypted password saved into database!’ is closed to new replies.