The Support Forums will be in read-only mode for a scheduled maintenance window on 01 September 2016 14:00 UTC - 20:00 UTC. More information.

[Plugin: User Role Editor] Editor can Edit Admin!! (10 posts)

  1. saharusa
    Posted 6 years ago #

    Hi there,
    Thanks for version 2, but still there is a security hole:

    I gave Editor ability to see & edit users

    When I edit user, this is the url:

    If I change the user_id from 20 to 1 (the admin id) I can edit the admin user level and set it to editor and below.


  2. Vladimir Garagulya
    Posted 6 years ago #

    You are right. It is the real security hole. I will investigate the subject and return with the solution.
    Thanks for the help.

  3. Vladimir Garagulya
    Posted 6 years ago #

    I fixed this issue as for
    as for
    requests in URE version 2.0.1
    Thanks again.
    Please check and share with your test results.

  4. saharusa
    Posted 6 years ago #

    I confirm, not possible to edit admin by changing id at the url anymore.

    Thanks a lot.

  5. bluemason
    Posted 6 years ago #

    I tried switching off edit_others_pages and delete_others_pages for the Editor role, then went to Pages and found that the Trash option and Empty Trash in the Trash bin were available and worked for an Editor for pages created by Admin.

    I'm on 2.9.2.


  6. Vladimir Garagulya
    Posted 6 years ago #

    Excuse me for so late reply. I counted this topic as closed and did not look into it long time.
    1st, I tried to repeat your actions and have not 'Edit' option at the pages list for admin created pages - just 'View' one. So I have not any Trash links for modified this way Editor role.
    2nd, If some problem exists in this case, I'm not sure that it is the URE plugin problem.

  7. saharusa
    Posted 5 years ago #

    Latest version brings back this old problem, Editor got Administrator power now.

  8. Vladimir Garagulya
    Posted 5 years ago #

    Ups! Thank you.
    I will check and return with update ASAP.

  9. Vladimir Garagulya
    Posted 5 years ago #

    Please try this version
    Only user with Administrator role and superadmin user multi-site environment have access to the User Role Editor Settings page now.
    I need to update code yet in order sub-blog admin under multi-site can use URE too for its own sub-blog. I plan to make it tomorrow.

    There is a hole if user has 'delete_users' and plugin management capabilities as WP consider him administrator then and gives access to the Plugins menu, where user can deactivate URE or just upload any PHP code as WP plugin... It is more a question of the trust and accuracy when giving critical rights to someone.

  10. saharusa
    Posted 5 years ago #

    Thank you Vladimir,
    Things are back to normal now.

Topic Closed

This topic has been closed to new replies.

About this Topic