Title: Security
Last modified: December 12, 2024

---

# Security

 *  Resolved [tylerknox](https://wordpress.org/support/users/tylerknox/)
 * (@tylerknox)
 * [1 year, 5 months ago](https://wordpress.org/support/topic/security-131/)
 * As a non-administrator user (WooCommerce Shop Manager) with capabilities: `ure_edit_roles`,`
   ure_manage_options`, and `ure_reset_roles`, I was able reset the wp_capabilities
   of an administrator account.
 * ![](https://i0.wp.com/static.knoxy.tk/share/cap1.png?ssl=1)
 * ![](https://i0.wp.com/static.knoxy.tk/share/cap2.png?ssl=1)
 * ![](https://i0.wp.com/static.knoxy.tk/share/cap3.png?ssl=1)

Viewing 2 replies - 1 through 2 (of 2 total)

 *  Plugin Author [Vladimir Garagulya](https://wordpress.org/support/users/shinephp/)
 * (@shinephp)
 * [1 year, 5 months ago](https://wordpress.org/support/topic/security-131/#post-18201256)
 * I don’t think we meet a security issue here.
 * If you executed ‘Reset’ operation – it is site wide critical action, which rewrites
   site user roles with WordPress own initial copy (as it has on installation). ‘
   ure_reset_roles’ is the special user capability/permission which allows this 
   action. What’s the purpose to grant it to the non-administrator user? Such user
   just becomes permissions superadmin, if grant him so critical permissions as 
   you listed above.
 *  Thread Starter [tylerknox](https://wordpress.org/support/users/tylerknox/)
 * (@tylerknox)
 * [1 year, 5 months ago](https://wordpress.org/support/topic/security-131/#post-18202154)
 * My apologies, I should have been more clear in my original description.
 * This particular use case involved a client that had limited back end access (
   WooCommerce Shop Manager) with some additional custom capabilities, including
   the ability to modify roles (screenshot #2). The capabilities the Shop Manager
   user themselves did not have access to were hidden using CSS.
 * The URE option to show the Administrator role was un-checked and functioning 
   as intended. The issue is, however, that if this non-admin Shop Manager user 
   can view Administrator users, they can see the Capabilities action link beneath
   their username (screenshot #1).
 * Once they click on that link and arrive at the user-specific roles/capabilities,
   they are unable to view the Administrator role (per the URE option), which results
   in defaulting to No Role (screenshot #3). If the “Update” button is clicked in
   this state, then it effectively removes the Administrator role from their account.
 * This seemed like a potential flaw or unintended behavior to me, so I figured 
   I’d point it out.

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘Security’ is closed to new replies.

 * ![](https://ps.w.org/user-role-editor/assets/icon-256x256.jpg?rev=1020390)
 * [User Role Editor](https://wordpress.org/plugins/user-role-editor/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/user-role-editor/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/user-role-editor/)
 * [Active Topics](https://wordpress.org/support/plugin/user-role-editor/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/user-role-editor/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/user-role-editor/reviews/)

 * 2 replies
 * 2 participants
 * Last reply from: [tylerknox](https://wordpress.org/support/users/tylerknox/)
 * Last activity: [1 year, 5 months ago](https://wordpress.org/support/topic/security-131/#post-18202154)
 * Status: resolved