Support » Plugin: User Role Editor » [Plugin: User Role Editor] Hole security

  • Resolved mcarballo


    Firstly thank you for your plugin!
    I tested this morning and it allows me to solve a problem after I upgraded to WPMU 2.9.2 to WP 3.0.1 (Mulitisite) : provide an opportunity for a blog admin to edit the user profile of other users of the blog.
    Your plugin gives me this opportunity and even more …

    However, it also something that seems to me dangerous : allow an admin to switch to the profile of a superadmin if he is declared User Blog!

    Is this normal and wanted? And would you have a solution to prevent it?

    Thank you in advance for your reply

Viewing 9 replies - 1 through 9 (of 9 total)
  • Plugin Author Vladimir Garagulia


    Thank you for the finding and pointing me the possible security problem. No, raising access level from lower to higher is not wanted in any form.
    I will try to repeat your actions and then return with questions or decision/fix.

    Plugin Author Vladimir Garagulia


    Please, give me a step by step description what did you do to receive this result: switch admin user to profile of a superadmin. Thanks for you help.

    Firstly thank you for your reply.

    Here is an example of how to test (test to be used with WordPress 3.0.1 Multisite):
    – Create a blog child with several users reported as users of this blog with at least one superadmin and a simple admin of the blog (other types of users are not affected by default since they do not see users menu, but users can still serve to complete the tests).
    – Then you have to log in as a blog child (simple) admin. When the extension is enabled, the admin can then connect to the place of any other user of the blog even superadmin and thus access to its own dashboard superadmin.
    This is not disruptive to other types of users but should not be able to access SuperAdmin which holds all rights to all of all blogs.

    I hope I was clear in my explanation …

    Thanks for you help.

    Plugin Author Vladimir Garagulia


    Thanks again. I’m sorry, but I did not catch it yet :).
    By default ‘simple’ admin can remove other users only with the ‘Users’ menu. I guess that the key is in the “opportunity for a blog admin to edit the user profile”. What do you do to get that? Do you create new role for the ‘simple’ admin user?

    When the extension is enabled, the admin can then connect to the place of any other user of the blog even superadmin and thus access to its own dashboard superadmin.

    Please share, how do you do it?

    Hello Vladimir
    Here with a little delay a step by step to make my explanation clearer:
    In the same time look this page ( to have more details and screenshots.

    You must install the last WordPress (3.0.1) with mulitsite/network ability, and is available only if WP_ALLOW_MULTISITE is defined in wp-config.php. (for example this url: http://localhost/wp/)
    For more information about news in WordPress 3.0 :
    For more information about Multisite :
    After, you must show the Super Admin Menu :

    2)Create a new site:
    – Click on the Sites item on the Super Admin menu, a new page appears that allows you to see existing sites and create new site.
    – To add a new site, enter its address (in this situation, we use sub-directories), title and admin email, then click on Add Site.
    – Once new site is created, you can visit it via new address (for example: http://localhost/wp/test). It looks like a normal WordPress blog.

    3)Manage the new site :
    – Go back to Sites menu, when you move mouse over a site name, you can see some actions for the site: Edit, Backend, Deactivate, Archive, Spam, Delete and Visit…
    – Click on the Backend link, you’ll go to the dashboard page of the new site. After logging in, you’ll see a normal Dashboard for the site, here you can add new posts, edit posts, change themes or do whatever you want.

    4)Add users in the new site for test :
    Go to the users menu (not in the Super Admin Menu but below the menu extensions) and create 3 users for test in this new site :
    – first user (ex : toto1) as administrator of the new site
    – second user (ex : toto2) as editor or contributor… (all role as you want but not as administrator)
    – third user (ex : toto3) as administrator or editor or contributor… (all role as you want) but also with super admin privileges for the Network. To do this, edit user information (of toto3) and select grant the user super admin privileges for the Network.

    Now you must have 4 users in your system (you can see all and their sites from the Users item in the Super Admin menu) :
    – you (or first user created during installation) as super-admin in the network
    – toto1 as administrator but only in the new site
    – toto2 as user of the new site
    – toto3 as user of the new site and super-admin in the network

    Install your plugin and try that :
    – First log off
    – Go to the new site (for example: http://localhost/wp/test)
    – Sign in as toto1 administrator
    – Go to the users menu (you must see the 3 users of this site toto1, toto2, toto3)
    – Try your plugin with toto2 (there is no problem)
    – Now try with toto3 : as toto3 is Super Admin you can see all menus including super-admin menu, so you can take full control over the site and the network…

    I think it may be a serious problem.
    To resolve this problem, you should find interesting the option to “grant the user admin privileges for the Super Network” which is new in WordPress 3.0

    I hope this time I was clearer in my explanation …

    Thanks for you help.

    Plugin Author Vladimir Garagulia


    Thank you very much for your patience and desire to help. May be I was not clear enough, but there is no need in the items 1-3 really.

    Let’s proceed with item 5:

    You wrote:

    try your plugin with toto2

    What do you mean? As toto2 has not admin privileges he doesn’t see plugin menu at all.
    Or how do you make reconnection under other user without logout and login again under other name and password?
    Without answers on the questions above my understanding of the situation is:
    1st, I don’t see what is the problem with URE plugin here. All what you do in item 5, you can do without URE plugin installation or usage. I make login as the second super-admin (toto3) and see all admins menus of course.

    2nd, The key to the “problem” is that toto3 user is “Super Admin”. As you gave him “super admin privilege for the network” you made him equal in rights with main super-admin. All his mighty capabilities goes from there, not from URE plugin or some real security hole.

    If I missed something and there is still some misunderstanding here, please, let me know.

    Thanks again.


    I’m really sorry but since the beginning all my messages dealt another plugin: User Switching

    However, if you have a little patience, I have a question about your plugin “User Role Editor”

    Is it possible to change a global role for these changes are retained in every creation of new blog?
    Example: I am a contributor to download files (pictures, etc.) and once the changes recorded all new contributors of all new blogs created have the same rights. Is this possible?

    Again thank you sincerely for your help and your patience and sorry for my mistake

    Plugin Author Vladimir Garagulia



    As I got some other proposals/requests for this feature from other URE plugin users I will try to realize it with the highest priority, possibly with the next update.

    Thank you very much…

Viewing 9 replies - 1 through 9 (of 9 total)
  • The topic ‘[Plugin: User Role Editor] Hole security’ is closed to new replies.