Import User with Higher Role
-
Thank you for your plugin. However, there is a security vulnerability in the import functionality. A user with the capability “create_users” can import users. Wonderful! However, this plugin doesn’t check to see if the role being imported is the same level or below of the current user. This allows a user to import a user with higher capabilities. A user adding a user through the WordPress Add User page cannot add a user higher than their role, so this issue is created by this plugin.
While of course you should trust anyone that has create_users capability, in some cases this person may not be an administrator. A use case is a website for a client that has far ranging capability but more of the administration roles are left to someone else, following good security practices. Please fix major security loophole!
Thank you.
- The topic ‘Import User with Higher Role’ is closed to new replies.