Ready to get started?Download WordPress


Capability Manager Enhanced
Serious hack issues with this plugin (2 posts)

  1. EclipseDesignConcepts
    Posted 10 months ago #

    I used this plugin for the first time on one of my sites as an alternative to the one I normally use since there are things I don't like about that one. It's a client site who is no longer under a maintenance contract so I don't normally go to the site to check on things. I had a reason to go there today and was dismayed to see dozens of spam blog posts and ALL of the spam users (who were able to register since the Stop Spam Registry Plugin has been changed and no longer blocks a lot of spammers) that had registered were listed as EDITORS! I immediately deleted all of those users and the spam posts and then set to figure out what was going on. After reading the support forum here I realized I needed to check a few things. Under Settings/General I was horrified to see all sorts of settings changed. For instance new users were automatically registered as EDITORS instead of SUBSCRIBERS as I had set it up to be. All of my posting and commenting moderation settings were modified. For this client I had it set up to be super tight as they didn't want anyone being able to do anything without their knowledge or permission. Those settings were all changed to the most lenient. I, of course, switched everything back to the way I had it. Then I went into the settings for this plugin and was again horrified. The settings for the user level subscriber were set that any subscriber could add/delete and modify other users (it wasn't like that when I first set up the plugin so this must have happened during an update that I didn't catch)! I knew instantly what the whole issue was! A spammer registered, saw he was automatically an editor (whose settings were now set to allow them to make changes to the other settings!) and went in and changed my settings to not only be the most lenient but most importantly so that the owners wouldn't be notified of spam postings or comments! Needless to say I will not be using this particular plugin again and I would recommend that someone look into this issue for the other users who are still using it. It poses a serious risk to site owners. I was lucky in that they didn't discover the ability to change my admin status and make other more serious changes to the site! Users beware! Check your settings thoroughly!


  2. klantomo
    Posted 10 months ago #

    I wonder if we face the same problem? Capabilities on our installation automatically reset to the default settings after some time. Did you experience the same?

    I just posted something about it: http://wordpress.org/support/topic/capabilities-reset-automatically-to-default-after-some-days?replies=1#post-5509081


You must log in to post.

About this Plugin

About this Topic