In Liferay DXP 7.0, 7.1 and 7.2, user's passwords are stored in the database if workflow is enabled for new users. This allows attackers with access to the database to obtain the user's unencrypted password.