Support » Plugin: Woocommerce Extra Registration Fields » This plugin stores passwords in plain text

  • Hi,

    Function os_woocommerce_save_extra_register_fields() and os_woocommerce_edit_account_save() inside class-woocommerce-extra-account-fields-public.php iterate all fields, and pushes these fields into table user_meta.

    This is a huge security risk for all our clients.

    I temporarily solved this issue by changing if ( isset( $field ) ) to if ( isset( $field ) && $key != ‘password’)

    Please update your plugin to prevent password leaks.

    https://wordpress.org/plugins/woocommerce-extra-accounts-fields/

Viewing 1 replies (of 1 total)
  • Thanks for the snippet – I had discovered this independently, and it was leading to a number of emails being sent announcing password resets, because a password was coming out of the database every time a customer object was hydrated on checkout.

Viewing 1 replies (of 1 total)
  • The topic ‘This plugin stores passwords in plain text’ is closed to new replies.