Why are passwords exportable as plain text in WordPress?

You cannot export passwords as plaintext in WordPress, because they are not stored in plaintext. What you see here is obviously the result of a very bad plugin.

Fields like Payment, Sex or Company are not even part of the regular WordPress tables.

For the future: Do not install plugins without prior tests and reviews in a safe environment. Use a local setup to find such security problems. Especially when you are dealing with other peoples data, this is a requirement.

What you should do now: Disable all plugins until this export is not possible anymore. The last disabled plugin was probably the problem. Find all the tables that it has created, delete those tables. Uninstall that plugin.

Related Posts:

  1. Where to securely store API keys and passwords in WordPress?
  2. How is password strength calculated?
  3. Make password invalid once logged out of password-protected page
  4. Can’t reset WordPress password
  5. Is the “lost password” feature truly a vulnerability?
  6. Frontend Password change
  7. Is it possible to reduce the minimum character length for passwords?
  8. Is there any point setting the keys and salts in wp-config.php?
  9. When is wp_set_password() called or how to capture a password
  10. Moving away from MD5: Where to declare the custom global $wp_hasher?
  11. How to get WordPress to send Password Reset Link Email instead of New Password?
  12. Basic password protection without using users and roles
  13. How can I force a specific password?
  14. Can a WordPress administrator see other users’ passwords?
  15. After limiting the access to my wp-login.php by IP through .htaccess, all my password-protected posts stopped working. What’s the best solution now?
  16. Password-protect feed and make it usable in major aggregators
  17. Could a user account with a stolen password compromised entire WP site?
  18. How to set custom validation for WordPress Passwords?
  19. Is my WP site being hacked?
  20. How to get real password (before encrypt) when register a user?
  21. Directory to store secure file
  22. Can you alter the default wordpress strong password requirements?
  23. SSL Error: unable to get local issuer certificate
  24. When you use ‘badidea’ or ‘thisisunsafe’ to bypass a Chrome certificate/HSTS error, does it only apply for the current site? [closed]
  25. Why does the URL http://a/%%30%30 crash Google Chrome?
  26. When you use ‘badidea’ or ‘thisisunsafe’ to bypass a Chrome certificate/HSTS error, does it only apply for the current site?
  27. Can an attacker use inspect element harmfully?
  28. Where does Internet Explorer store saved passwords?
  29. WordPress 4.7.1 REST API still exposing users
  30. Should I escape wordpress functions like the_title, the_excerpt, the_content
  31. Why does WordPress need my private ssh key to update?
  32. When to use esc_html and when to use sanitize_text_field?
  33. What is the ideal setup to address security concerns?
  34. is_email() VS sanitize_email()
  35. Can someone explain the use cases of esc_html?
  36. Close a wordpress blog – keep site as it is but prevent hacks
  37. Moving wp-config.php: Can this be done after site launch?
  38. Prevent setup-config.php page from appearing when host blocks database
  39. WordPress and Security
  40. Is /wp-login.php?redirect_to[] exploitable?
  41. brute force attack even though it is limited by IP
  42. What should I do about hacked server?
  43. How do I authenticate WP users from a chrome extension?
  44. Website is being flooded [closed]
  45. Should I Worry About SQL Injection When Using wp_insert_post?
  46. Auth cookie value security risk?
  47. Is there a way for a user to have an alias?
  48. Security – Shortcode injection attack
  49. Registration Plugin – Recaptcha integration
  50. How to combat flooding admin-ajax.php?
  51. Would it be dangerous to send all the wp_options to javascript file?
  52. Frequently getting attacks on admin-ajax.php, wp-cron.php, xmlrpc.php and wp-login.php
  53. Should I disable directory listing for wp-includes?
  54. Safety side of storing emoji into database
  55. How can I safely hide the fact that my website runs on WordPress? [closed]
  56. How to change permissions of WordPress and/or apache on macOS securely?
  57. How can I display nickname instead username in links
  58. My WordPress Websites are always under attack
  59. Is there value in using a wp_nonce for POST requests?
  60. How to hide easy access to my website temporarily?
  61. Can I Remove xmlrpc.php completely?
  62. Config file with no Keys..?
  63. How much should I worry about these messages?
  64. Uploading .webm format on WordPress results in security guidline breach and fail
  65. Any any insecure http:// URLs left in wordpress?
  66. White screen of death on admin pages after moving wp-config up two levels for security
  67. WordPress Password security related questions
  68. Session Cookie security questions
  69. Storing FTP details in wp-config.php
  70. Why my plugins are updating automatically?
  71. How can I password protect a WordPress site without requiring users to log in?
  72. Spam injected in w3 total cache page cache [closed]
  73. Privilege escalation bugs in 2.9?
  74. Content-Security-Policy blocks WordPress check boxes from being activated
  75. Prevent editor from adding script or form
  76. How to change location of wp-config.php to folder or 2 folders up?
  77. Finding where a snippet of code is coming from
  78. wordpress admin security
  79. Remove hacked code – out of ideas! [closed]
  80. Why do people use “admin” username by default? [closed]
  81. WordPress Database Re-installed (Hacked)
  82. How to invalidate `password reset key` after being used
  83. WordPress Security tools
  84. Robots.txt file not updating
  85. Security: Critical backend outside of wordpress
  86. Advice On How to Backup WordPress
  87. How can I stop other plugins from using my class’ sensitive methods?
  88. How to Password Protect whole site except for some subdirectories
  89. What are WordPress Current Security Issues in 2017?
  90. wp-config.php moved above root results in no plugin updates
  91. WordPress exploited theme is causing high io load on server
  92. how to find the way they hacked my WP site
  93. How to stop repeated hack on header.php of custom theme? [closed]
  94. What techniques can a user employ to achieve a password rated “strong” in the WordPress password checker
  95. is this code properly secured
  96. nginx + wordpress: Best practices for configuring it to be secure, reliable, and fast? [closed]
  97. How can I give someone server access to only duplicate and modify a site?
  98. WP-JSON: Cross Origin Resource Sharing Vulnerability?
  99. How can I implement ansible with per-host passwords, securely?
  100. how to sanitizing $_POST with the correct way?

Leave a Comment