Support » Plugins » Plugin Hacks Via Backdoor

Viewing 6 replies - 1 through 6 (of 6 total)
  • Thread Starter carlocab123

    (@carlocab123)

    Any updates guys?

    whooami

    (@whooami)

    I just looked at the second one:

    add_options_page(__('Feed Count'), __('Feed Count'), 1, __FILE__, 'mapelli_fc_option_page');

    that allows anyone with a 1 or better access.

    Ive installed that on a fresh install and cant duplicate your problem with a test subscriber a ccount.

    Are your subscribers assigned 1’s ?? They ought to be 0’s.

    http://codex.wordpress.org/Roles_and_Capabilities#level_0

    Users are also limited by the access they have to the parent page, options-general.php

    whooami

    (@whooami)

    as a follow up, I made my test subscriber a contributor, and still couldnt load the options page for that plugin directly.

    Since contributors dont have manage_options capabilities they seemingly can’t access anything loaded from the parent page, again thats options-general.php

    Thread Starter carlocab123

    (@carlocab123)

    Hey whooami,

    Try testing it on my blog that caught the problem:

    ==> http://www.carlocab.com/wp-login.php?action=register

    Thanks.

    whooami

    (@whooami)

    its not the plugin ..As an admin, what is the link that you see when you hover the options tab?

    As a subscriber, I see:

    http://www.carlocab.com/wp-admin/admin.php?page=feedcount.php

    Thats NOT a normal link for that tab.

    Ive looked at a 2.0.11, a 2.3.3 and a 2.5 install none of them even show that tab to subscribers, much less make that tab, that link.

    the options tab ought to point to http://www.carlocab.com/wp-admin/options-general.php

    .. which by the way, when I load in my browser, tells me, correctly, that I dont have access.

    I also just uploaded that plugin to yet another 2.3.3 install, created a subsc. acct, logged out, and logged in as the lesser person — I cant duplicate whats going on on your site.

    I suggest, at the very least, deleting all the core WP files from your wp-admin directory (including wp-admin/includes/), and uploading fresh copies.

    And are you using any plugins that make modifications to the admin area?

    The other thing that suggests that this is your install and not a singular plugin issue is that you seemingly see it with 2 plugins.

    I didnt hunt around for the other.. didnt see so maybe you have disabled it. Either way, plugins are typically written to take advantage of WP’s built in ability to keep users where they belong, and that you have 2 anomalies suggests its the site.

    If you like, after you re-uploads those files, I’ll take another peek, or you can (make a test subscriber acct) 🙂 Just clear your cache first, and obviously make sure you login as a subsc. and not an admin

    I’m having a similar issue for my blog, which uses WP 2.7 (I upgraded it). When I’m logged in as a user who is only an Editor, I encounter permissions errors for the Settings pages of all available plugins.

    For example, when I hoover over the Settings link, I get the following link to my first plugin with settings accessible to Editors (in this case, the DoFollow plugin):

    http://myblog.com/wp-admin/admin.php?page=dofollow.php

    but when I hover over each of my plugins under the Settings panel, I get the following links:

    http://myblog.com/wp-admin/options-general.php?page=dofollow.php

    And then underneath the DoFollow plugin, I have the Subscribe to Comments plugin, which this link under the Settings panel:

    http://myblog.com/wp-admin/options-general.php?page=stc-options

    Whenever I click on one of links underneath the Settings panel, I get the following error:

    “You do not have sufficient permissions to access this page.”

    What am I doing wrong? Will I have to tell everyone who wants to use my plugin, that they will have to reinstall the core files of their WP 2.7 installation to use my plugin? That seems extreme? Is this a bug?

    Thanks, Will

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Plugin Hacks Via Backdoor’ is closed to new replies.