Event Manager Plugin Security Issue: Unencrypted Password Saved Into Database!
This is one of the reason we love the WordPress community, user diligence.
Thanks to WordPress user jleander, a potential password issue was found in a popular plugin, Event Manager.
Below is his original support ticket posted on 11/24/2013.
Hello. This is not a question. More of a security HEADS UP for the plugin author.
Events Manager creates option_name dbem_smtp_password inside wp_options table, which stores the password added in E-mail settings -> SMTP -> SMTP password.
This is done unencrypted which really creeps me out.
Even worse is that if you leave the username and password fields empty and save, the next time you enter this page your browser will prefill these fields with your wordpress login data (if you ever allowed your browser to remember your login information). Now when you save the settings again, your wp username and password will be stored inside database unencrypted.
This prefill seems to happen even if smtp settings page is not active -> you could be using php post settings and still smtp settings would store your password and username if fields left empty.
I think the best and easiest way to fix this issue would be storing the password encrypted, which should be the way it’s done in the first place. Never ever store passwords unencrypted.
Another way would be to make sure that this smtp username and password field has nothing to do with wordpress login form, since now it seems like your browser is messing these up.
You can follow this thread here: Event Manager Security Issue
Thanks again to Jleander for finding such a potential security issue. Anyone using this plugin may want to temporarily disable this plugin until a fix is implemented and check this issue for themselves.