Absolute Privacy badly broken

I think this is the fix for it… change $user variable to $tmpuser (except the error)

function abpr_authenticateUser( $user, $username, $password ){
	global $wpdb;
		$tmpuser = get_userdatabylogin( $username );

		$cap = $wpdb->prefix . "capabilities";

		if ( $tmpuser != null && array_key_exists( ABSPRIVACY_ROLEREF, $tmpuser->$cap ) ) {  //if the user's role is listed as "unapproved"
			$user = new WP_Error( 'unapproved', __("<strong>ERROR</strong>: The administrator of this site must approve your account before you can login. You will be notified via email when it has been approved.") );
			add_filter( 'shake_error_codes', 'abpr_add_error_code' );	//make the login box shake
			remove_action( 'authenticate', 'wp_authenticate_username_password', 20 );	//prevent authentication of user
		}

	return $user;
}

I’ve tested it and it seems to be good….

Chris – This is great news! Many of us appreciate this solution. Is there any chance you could direct us to the actual directory and .php file which this change applies?

Also, is the code (as written above) prior to change or after the change?

Thank you very much for any information you can provide and I appologise for any inconvenience!

Fyn

Sorry for wasting your time Chris – I found out where this file is. It is the functions.php file within the Absolute Privacy plugin folder.

Thanks for your solution!

Fyn

No problem Fyn! I should have put that in to begin with…

Chris’ solution resolves this issue completely. The code which he posted is dead on…

Ahh… sweet security once again!

Thanks from me too! As far as I can see, this fixes the Problem. Any idea why that came up?
Anyways, I would be happy to see an update from the plugin maintainers…

Thanks so much chriswhittle!

It worked for me too. Thanks!

Thank God I found this — I thought I was going crazy when I realized that I could log in with any password. Thanks so much!

Thanks for the fix ??

The plugin has been patched as of version 2.0.6 to fix this vulnerability.