My first concern is that the password is stored as plain text with no hashing. Take a look at PHP's password_hash function. While it is true that in theory an end-user should never see the raw PHP, it's certainly possible that something go wrong and then you have the end user's password out for the world to see. Given the fact that humans often re-use passwords, this means a hacker could gain access to other accounts.
My first concern is that the password is stored as plain text with no hashing. Take a look at PHP's password_hash function. While it is true that in theory an end-user should never see the raw PHP, it's certainly possible that something go wrong and then you have the end user's password out for the world to see. Given the fact that humans often re-use passwords, this means a hacker could gain access to other accounts.