IMPORTANT: Members directory search shows results based on private info

It seems it can also be searched by email. For example, by typing “yahoo”, I get a search result showing all the users that signed up using yahoo email addresses.

Hello @johnquail

You could use this hook for hide fieldds from search:

function um_my_custom_general_search_fields( $custom_fields ) {
    $custom_fields = array(
        'email', // here you could add fields
    );
    return $custom_fields;
}
add_filter( 'um_general_search_custom_fields', 'um_my_custom_general_search_fields', 10, 1 );

Thank you.

So this is how the plugin is supposed to work? It seems like a big security issue. Search by email and other private info should be restricted to the admin panel.

Hello @johnquail

We wrote to the WP support to clarify this issue. This is what they said:

Yes, you could find a user account via typing in random emails, but really the idea that somebody already knows the email and is checking the site means that they already probably know that that user is a user of the site. So it’s not really telling them anything new. It’s a theoretical vulnerability only.

But we plan to add this option to member directory settings in future.

Thank you for your feedback.

It’s a huge security vulnerability because, for example, I can type common surnames and the website will list for me all the users that have that surname, even if that information is hidden on the public profiles.

There is no social network nor online forum that allows people to publicly search for private or confidential information that is hidden from the profiles. It’s not only a security issue but it could also lead to lawsuits for poor management of private information. Please solve ASAP.

Hi @johnquail

As I wrote you before we clarified this question and gave you the answer that we received.
We have added this task to our plans and provided you with a hotfix that you can use on your website.

Thanks for your feedback.