WordPress.org

Make WordPress Core

Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#6662 closed defect (bug) (fixed)

Users without capability "create_users" can add new users

Reported by: imwebgefunden Owned by: anonymous
Priority: high Milestone: 2.5.1
Component: Security Version: 2.5
Severity: critical Keywords:
Cc:

Description

If a user has the capability "edit_users" and not the capability "create_users" he can add new users.
The defect is in admin-ajax.php. The check is against "edit_users" and not "create_users". I've attached a patch to fix this issue.
A second one - more an AddOn and not an defect: We should show the add user form only if the current user has the capability to add a new user. If the current user has the capability "create_users" the form will be shown. The second patch I attached make this job.

Attachments (2)

ajax_create_users.diff (381 bytes) - added by imwebgefunden 5 years ago.
Patch for admin-ajax.php to check against "create_users"
hide_create_user_form.diff (365 bytes) - added by imwebgefunden 5 years ago.
Show "Add User" Form only if the current user can create new users

Download all attachments as: .zip

Change History (5)

imwebgefunden5 years ago

Patch for admin-ajax.php to check against "create_users"

imwebgefunden5 years ago

Show "Add User" Form only if the current user can create new users

comment:1 imwebgefunden5 years ago

  • Severity changed from normal to critical

comment:2 ryan5 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [7659]) Check create_users cap instead of edit_users wgen adding/inserting users. Props imwebgefunden. fixes #6662 for 2.5

comment:3 ryan5 years ago

(In [7660]) Check create_users cap instead of edit_users wgen adding/inserting users. Props imwebgefunden. fixes #6662 for trunk

Note: See TracTickets for help on using tickets.