bbPress 2.1 RC4 - Import Forums Database fields should not be pre-populated. Security Concern.
|Reported by:||Omicron7||Owned by:|
The Database fields on the Tools - Forums - Import Forums page should not be pre-populated with the WordPress database connection information. Even though the password field was masked in #1858, the database password is still stored in plaintext in the source. This presents a security risk by disclosing the WordPress database connection information.
This is probably more of an issue in a multisite environment where individual blog admins could get the database connection information for the WordPress Network.
I would recommend leaving these fields blank and possibly adding a note that the connection information, if needed and not know, is in the wp-config.php file.