Replies: 0
The plugin stores passwords as plaintext if one creates a password field where the meta key is not “user_password”.
You can find the password as plain text in your database. Check “usermeta” table with the meta key you set. The password is also send as plaintext in an email to the admin.
This is a security vulnerability. I wrote you an email about this. You did not change this in your new version.
I tested this vulnerability with version 2.0.6, 2.0.9 and 2.0.10. WordPress version is 4.9.5.
I highly recommend to deactivate the plugin until the “developers” remove this vulnerability.