As a security, userservice plugin allows connection from only allowed IPs (if specified).
However seeing its code, I noticed that it takes IP from X_FORWARDED_FOR request header.
This header can however be faked by client and hence if you know the secret, you can add/update/delete user from anywhere.
My suggestion would be to check only remote address, i.e.
in file: src/plugins/userservice/src/java/org/jivesoftware/openfire/plugin/userService/U serServiceServlet.java
String ipAddress = request.getRemoteAddr();
and rest of the lines checking request header be deleted.
Using userservice plugin, if i just want to update password (name and email parameter not passed in query), it unsets existing name and email, which doesnt make sense.
My suggestion would be to change code slightly as follows:
in file: src/plugins/userservice/src/java/org/jivesoftware/openfire/plugin/UserServicePl ugin.java
update the lines as follows:
if (password != null) user.setPassword(password);
if (name != null) user.setName(name);
if (email != null) user.setEmail(email);
This allows to alter only specified parameters, leaving rest intact.
Hope my suggestions are found to be valid and useful