WordPress.org

Make WordPress Core

Opened 7 months ago

Closed 4 months ago

#46661 closed enhancement (duplicate)

Add a control to hide "New Default Role" from WP ADMIN via WP Config

Reported by: gsh1923 Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Users Keywords:
Focuses: administration Cc:
PR Number:

Description

Hi there

Recently there was a Vulnerability Detected in a plugin that we use.

What I found pretty nuts is that once the user had been created as an admin it was possible for them to easily change the “default new user role” setting by going over to General and changing the drop-down box.

I wondered therefore two things:

a) Is there a way that in wp-config some kind of special magic code would mean that that particular part of the WP would be hidden if set, thus meaning that the "Default New User Role" could only be changed with access to FTP.

b) If not, some kind of internal security ping that gets sent out to the site ADMIN in cases where the "Default New User Role" value is changed.

It was suggested that I write this here having posted to here:
https://wordpress.org/support/topic/new-default-role-wp-config-add-a-control/#post-11358317

Change History (1)

#1 @desrosj
4 months ago

  • Component changed from General to Users
  • Focuses administration added
  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Severity changed from major to normal
  • Status changed from new to closed

Hi @gsh1923,

Thanks for taking the time to create this ticket, and welcome to Trac!

This issue has been raised in a few other tickets before (see #46744, and #43936). #43936 has more discussion and movement, so I am going to close this as a duplicate.

If you do not feel this is correct, please just reopen and detail why.

Note: See TracTickets for help on using tickets.