Title: Vulnerability: user capability
Last modified: February 21, 2017

---

# Vulnerability: user capability

 *  Resolved [Catapult](https://wordpress.org/support/users/catapult/)
 * (@catapult)
 * [9 years, 1 month ago](https://wordpress.org/support/topic/vulnerability-user-capability/)
 * Hi
 * I noticed with this plugin that there’s no user capability set on its usage. 
   So any site that allows subscriber access to the dashboard, e.g. to edit user
   profiles, makes the Re-order menu item available on all eligible post types. 
   This means that any user with Subscriber role or above can re-order your posts.

Viewing 3 replies - 1 through 3 (of 3 total)

 *  Plugin Author [nsp-code](https://wordpress.org/support/users/nsp-code/)
 * (@nsp-code)
 * [9 years, 1 month ago](https://wordpress.org/support/topic/vulnerability-user-capability/#post-8832137)
 * Hi,
    Can you describe a bit more the issue you see? The plugin actually does 
   use capabilities to show re-order interface, so unless set for Subscribers access,
   they can’t see and use that page at all. Feel free to contact us directly do 
   details on how to replicate the issue.
 * Thanks
 *  Thread Starter [Catapult](https://wordpress.org/support/users/catapult/)
 * (@catapult)
 * [9 years, 1 month ago](https://wordpress.org/support/topic/vulnerability-user-capability/#post-8833946)
 * Ah… That was the bit I was missing. My apologies – I didn’t realise you could
   set the access level by role.
 * Maybe the default could be set to Admin as I’ve used this plugin a couple of 
   times and hadn’t noticed this setting?
 * Thanks for the plugin…
 *  Plugin Author [nsp-code](https://wordpress.org/support/users/nsp-code/)
 * (@nsp-code)
 * [9 years, 1 month ago](https://wordpress.org/support/topic/vulnerability-user-capability/#post-8834691)
 * As default it use ‘activate_plugins’ capability which is being available only
   for administrator role.

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Vulnerability: user capability’ is closed to new replies.

 * ![](https://ps.w.org/post-types-order/assets/icon-128x128.png?rev=1226428)
 * [Post Types Order](https://wordpress.org/plugins/post-types-order/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/post-types-order/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/post-types-order/)
 * [Active Topics](https://wordpress.org/support/plugin/post-types-order/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/post-types-order/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/post-types-order/reviews/)

 * 3 replies
 * 2 participants
 * Last reply from: [nsp-code](https://wordpress.org/support/users/nsp-code/)
 * Last activity: [9 years, 1 month ago](https://wordpress.org/support/topic/vulnerability-user-capability/#post-8834691)
 * Status: resolved