By default, only administrators have the ‘edit_theme_options’ necessary to access the widget admin panel. However, some sites have a role (e.g. for theme editors & graphic designers) between editor and administrator with this capability. If widget logic is installed on such a site, it introduces a privilege escalation.
Awhile back I submitted a ticket and patch to the plugins track that addressed this by adding an option for & a check against an arbitrary capability necessary to access widget logic options (it defaults to “administrator”, so only admins can add widget logic to a widget). The check-points are:
- when adding the various admin filters,
- when processing an AJAX update (
- when setting up the widgets for editing (
- when displaying widget logic options (
The last two are redundant given the first, but the extra security checks don’t hurt. The patch probably won’t apply to the current release, but if you’re open to including it in WL, I’ll gladly update it.
- The topic ‘Feature request patch: capabilities-based security’ is closed to new replies.