Default User Role isn't checked against defined roles, causing unexpected resets to Administrator
|Reported by:||Ivolution||Owned by:||garyc40|
|Severity:||major||Keywords:||has-patch 3.2-early commit|
Take these steps:
- Activate a plugin that creates role on activation. For example, it calls "add_role( 'photo_uploader', 'Photo Uploader', array( 'read') );"
- In General Settings, set the Default User Role to this new role, 'Photo Uploader'.
- Deactivate the plugin, removing the roles: "remove_role( 'photo_uploader');"
- In General Settings, the Default User Role now displays 'Administrator'. (In the database, it still says 'photo_uploader'.)
- When creating a new user (as admin), the role dropdown-box now displays 'Administrator' as role for this new user. This new user _will_ have role 'Administrator' if an unsuspecting admin does not explicitly alter the role in the dropdown-box.
This way, an unsuspecting adminstrator might accidentally create new admins for his blog.
I have also tested this for new users registering themselves. Fortunately, they are assigned the role 'None', not 'Administrator'.
Ivo van der Linden
(employee of LaQuSo @ Eindhoven University of Technology)
Change History (17)
- Keywords 3.2-early added
- Milestone changed from Awaiting Review to Future Release
- Summary changed from Security issue after plugin deactivation (by accidentally creating administrators) to Default User Role isn't checked against defined roles, causing unexpected resets to Administrator
comment:9 wonderboymusic — 11 months ago
- Keywords needs-testing removed
- Milestone changed from Future Release to 3.6