Token visible by email

  • Resolved neoset

    (@neoset)


    3 years, 4 months ago

    Hello, when installing the Ultimate member plugin and requesting the deletion of data through the Ultimate member account, when sending the confirmation email, the following link is displayed in the email:
    /wp-login.php?action=confirmaction&request_id=3353&confirm_key=Iq6CH8VpT5bxzsOmgsLT&sgs-token=enter
    The token created with SG Security is shown, this is a security hole for which you install Ultimate member or another member plugin, there are other plugins that use this export request system and data deletion from the account.
    The WPS Hide Login plugin shows the links in the delete and export emails without tokens so it is possible to do so.
    All the best.

    • This topic was modified 3 years, 4 months ago by neoset.
    • This topic was modified 3 years, 4 months ago by neoset.
    • This topic was modified 3 years, 4 months ago by neoset.
Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Author Stoyan Georgiev

    (@stoyangeorgiev)

    Hey there @neoset

    Thank you for the feedback! Such feedbacks are highly appreciated.

    We will provide a fix for that issue in the upcoming version of the plugin.

    Kind regards,
    Stoyan

    Thread Starter neoset

    (@neoset)

    Hello, on the confirmation page to delete personal data on the web that you send us from the email, in the url address box the following url address is also displayed:
    /wp-login.php?action=confirmaction&request_id=3353&confirm_key=Iq6CH8VpT5bxzsOmgsLT&sgs-token=enter
    In principle, it only seems that it happens in deleting personal data both in the email and in the confirmation page.
    Another minor error is that when I click on any section of the SG Security tab the font of the other tabs increases in size.
    Once you see it, you can consider the issue solved.
    All the best.

    Plugin Author Elena Chavdarova

    (@elenachavdarova)

    Thank you for your update, @neoset!

    Could you please specify the exact browser you are using as I am not able to replicate the font change issue reported.

    Best Regards,
    Elena

    Thread Starter neoset

    (@neoset)

    Firefox, Edge and Chrome in a clean installation of wordpress without plugins only SG Security.

    Sin-t-tulo

    • This reply was modified 3 years, 4 months ago by neoset.
    Plugin Author Hristo Pandjarov

    (@hristo-sg)

    SiteGround Representative

    These issues are fixed in the upcoming maintenance update.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Token visible by email’ is closed to new replies.