envato
API not encrypted in database
Just inspected the API input field, and saw that the type is password. When I changed that to text it showed me the API and I could also see the API under value.
Now, honestly, I do not know how to make this more more secure, however, any hacker could potentially get the Marketplace Username and API and use it on another WordPress install and then download all the users themes.
I would be more concerned with the fact a hacker is in your admin area or accessing your database then your marketplace API key not being stored as a hashed value. For one the version of the API this plugin connects to is being deprecated, much like this plugin, and will no longer work soon. Second the new plugin that replacing this one uses the new API, which means the keys can now be revoked. So if you feel you've been hacked you would delete the key from the envato API. The new plugin will be ready soon, it's gotten a lot of attention recently. Unfortunately, it's in a private repo until all the todo items are completed for a public beta and moved into its new home.
The field should never have been set as a password anyhow. You should be able to see which key you're using to connect with and the page should be restricted to admins.
