Vulnerability: user capability

  • Resolved Catapult

    (@catapult)


    9 years, 1 month ago

    Hi

    I noticed with this plugin that there’s no user capability set on its usage. So any site that allows subscriber access to the dashboard, e.g. to edit user profiles, makes the Re-order menu item available on all eligible post types. This means that any user with Subscriber role or above can re-order your posts.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author nsp-code

    (@nsp-code)

    9 years, 1 month ago

    Hi,
    Can you describe a bit more the issue you see? The plugin actually does use capabilities to show re-order interface, so unless set for Subscribers access, they can’t see and use that page at all.
    Feel free to contact us directly do details on how to replicate the issue.

    Thanks

    Thread Starter Catapult

    (@catapult)

    9 years, 1 month ago

    Ah… That was the bit I was missing. My apologies – I didn’t realise you could set the access level by role.

    Maybe the default could be set to Admin as I’ve used this plugin a couple of times and hadn’t noticed this setting?

    Thanks for the plugin…

    Plugin Author nsp-code

    (@nsp-code)

    9 years, 1 month ago

    As default it use ‘activate_plugins’ capability which is being available only for administrator role.

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Vulnerability: user capability’ is closed to new replies.