Users who are not permitted to publish or edit published posts can, infact view and edit published posts via the WPUF dashboard.
If WPUF is configured so that new posts are submitted as pending, then posts are not published until an admin approves the content and publishes the posts from the wp backend. However, once the post has been published the person who initially submitted the post can view, edit, and delete the post via the WPUF dashboard and, potentially, replace all of the content with unapproved content before an admin has an opportunity see it. This is the case even if the user has not been granted capabilities to publish or edit published posts. This creates a liability that undoubtedly prevents many from being able to use the plugin.
The posts that appear in the WPUF dashboard should be determined by the capabilities that have been granted to the user.
- The topic ‘Flaw / Potential Security Issue with WordPress User Front End’ is closed to new replies.