Hi @budget101,
Thank you for your review. Good or bad, we appreciate them all. 🙂
However, I must say that what you are saying is a bit misleading. First, this does not qualify as a major security flaw. We would be talking instead about a bug or a feature request.
Most importantly, it is not true that any user can restore backups, bulk optimize or bulk delete images. Only administrators and editors can perform such actions. Also, although not officially, those submenus you mention can be removed, and we are always more than happy to help any client do it if they contact us.
In any case, I’m sure you’ll be happy to hear that we have already on our roadmap a feature request to customize the roles that can access certain menus or do certain actions.
We’d appreciate it if you contact us so we can show you and explain everything above. And of course, any other question or request, we’ll be happy to answer!
Thank you,
However, I must say that what you are saying is a bit misleading. First, this does not qualify as a major security flaw.
Really? The fact that a subscriber has the capability to bulk delete 20,000 photos feels like a security flaw to me, but we can refer to it as a bug if it makes you feel better.
Most importantly, it is not true that any user can restore backups, bulk optimize or bulk delete images. Only administrators and editors can perform such actions.
I wish that were the case. Actually, it’s quite true and when I tried to post snipboard screenshots, I received a yellow warning message showing that I wasn’t permitted to do so.
They weren’t just “appearing” to be an option by the annoying menu that couldn’t be removed. The option worked, they also could fully restore the shortpixel database. Again, tried to post screenshots, but I got my hand slapped.
In any case, I’m sure you’ll be happy to hear that we have already on our roadmap a feature request to customize the roles that can access certain menus or do certain actions.
That is refreshing as I do not wish to use multiple functions to protect my images:
1. To disallow users from seeing anything but their own images
2. to disallow the List Mode- which gave them access to Shortpixel Compression Settings
3. to disable the bulk Delete mode that does indeed still work
$subscriber->remove_cap('handleCustomBulk');
$subscriber->remove_cap('manage_media_columns');
At this point I’m good, I finally secured my site, and I was just letting you know so you could address the issues as you see fit.
Hi @budget101,
Feel free to open a new support thread so we can further help you. From our side we cannot reproduce the issue; a subscriber has no permissions to do anything with ShortPixel (just tried it). In fact, a subscriber should not have permission to enter your wp-admin at all, which is the default WordPress behaviour. If it can access your wp-admin, it means the Subscriber role was altered somehow.
As you can understand, we cannot support custom WordPress behaviour, but anyway we will be more than happy if you gave us the opportunity to help you. I am honestly curious about what you see from your side.
Looking forward to hearing from you on the support forums!
Best,
