Index: src/wp-admin/includes/file.php IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== --- src/wp-admin/includes/file.php (date 1512509026000) +++ src/wp-admin/includes/file.php (date 1512512312000) @@ -373,8 +373,8 @@ if ( ! empty( $args['plugin'] ) ) { $plugin = $args['plugin']; - if ( ! current_user_can( 'edit_plugins' ) ) { - return new WP_Error( 'unauthorized', __( 'Sorry, you are not allowed to edit plugins for this site.' ) ); + if ( ! current_user_can( 'edit_plugin', $plugin ) ) { + return new WP_Error( 'unauthorized', __( 'Sorry, you are not allowed to edit this plugin.' ) ); } if ( ! wp_verify_nonce( $args['nonce'], 'edit-plugin_' . $file ) ) { Index: src/wp-admin/plugin-editor.php IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== --- src/wp-admin/plugin-editor.php (date 1512509026000) +++ src/wp-admin/plugin-editor.php (date 1512512312000) @@ -14,8 +14,14 @@ exit(); } -if ( ! current_user_can( 'edit_plugins' ) ) { - wp_die( __( 'Sorry, you are not allowed to edit plugins for this site.' ) ); +$file = ( isset( $_REQUEST['file'] ) ) ? wp_unslash( $_REQUEST['file'] ) : ''; +$plugin = isset( $_REQUEST['plugin'] ) ? wp_unslash( sanitize_text_field( $_REQUEST['plugin'] ) ) : ''; + +if ( ! current_user_can( 'edit_plugin', $plugin) ) { + if( empty( $plugin ) ) + wp_die( __( 'Sorry, you are not allowed to edit plugins for this site.' ) ); + else + wp_die( __( 'Sorry, you are not allowed to edit this plugin.' ) ); } $title = __( 'Edit Plugins' ); @@ -35,16 +41,6 @@ exit; } -$file = ''; -$plugin = ''; -if ( isset( $_REQUEST['file'] ) ) { - $file = wp_unslash( $_REQUEST['file'] ); -} - -if ( isset( $_REQUEST['plugin'] ) ) { - $plugin = wp_unslash( $_REQUEST['plugin'] ); -} - if ( empty( $plugin ) ) { if ( $file ) { @@ -219,6 +215,10 @@