WordPress.org

Support

Support » Plugins and Hacks » [Plugin: User Role Editor] Editor can Edit Admin!!

[Plugin: User Role Editor] Editor can Edit Admin!!

  • Hi there,
    Thanks for version 2, but still there is a security hole:

    I gave Editor ability to see & edit users

    When I edit user, this is the url:
    /wp-admin/user-edit.php?user_id=20&wp_http_referer=/wp-admin/users.php

    If I change the user_id from 20 to 1 (the admin id) I can edit the admin user level and set it to editor and below.

    http://wordpress.org/extend/plugins/user-role-editor/

Viewing 9 replies - 1 through 9 (of 9 total)
  • Hi,
    You are right. It is the real security hole. I will investigate the subject and return with the solution.
    Thanks for the help.
    Regards,
    Vladimir.

    I fixed this issue as for
    user-edit.php?user_id=
    as for
    user.php?action=delete&user=
    requests in URE version 2.0.1
    Thanks again.
    Please check and share with your test results.

    I confirm, not possible to edit admin by changing id at the url anymore.

    Thanks a lot.

    I tried switching off edit_others_pages and delete_others_pages for the Editor role, then went to Pages and found that the Trash option and Empty Trash in the Trash bin were available and worked for an Editor for pages created by Admin.

    I’m on 2.9.2.

    Thanks

    Excuse me for so late reply. I counted this topic as closed and did not look into it long time.
    1st, I tried to repeat your actions and have not ‘Edit’ option at the pages list for admin created pages – just ‘View’ one. So I have not any Trash links for modified this way Editor role.
    2nd, If some problem exists in this case, I’m not sure that it is the URE plugin problem.

    Latest version brings back this old problem, Editor got Administrator power now.

    Ups! Thank you.
    I will check and return with update ASAP.

    Please try this version
    http://www.shinephp.com/wp-content/downloads/wordpress/plugins/user-role-editor-2.2.3.zip
    Only user with Administrator role and superadmin user multi-site environment have access to the User Role Editor Settings page now.
    I need to update code yet in order sub-blog admin under multi-site can use URE too for its own sub-blog. I plan to make it tomorrow.

    There is a hole if user has ‘delete_users’ and plugin management capabilities as WP consider him administrator then and gives access to the Plugins menu, where user can deactivate URE or just upload any PHP code as WP plugin… It is more a question of the trust and accuracy when giving critical rights to someone.

    Thank you Vladimir,
    Things are back to normal now.

Viewing 9 replies - 1 through 9 (of 9 total)
  • The topic ‘[Plugin: User Role Editor] Editor can Edit Admin!!’ is closed to new replies.