Make WordPress Core

Opened 9 months ago

Last modified 9 months ago

#59109 new defect (bug)

Prevent plugins from creating admin accounts

Reported by: tspnet's profile tspnet Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 6.3
Component: Plugins Keywords: close
Focuses: Cc:


Honestly someone needs to see the sense in this. I'm pretty confident if you petitioned the worldwide wordpress community everyone would want this fixed regardless of it being self hosted or this is a flaw in the current wordpress.

I have given you the email to describe the issue it explains fully. This flaw needs to be fixed.

(13:14:10) James: Regardless of whether it's open source or not WordPress needs to be secure
(13:14:23) James: People. Business, even enterprise use your product
(13:14:59) James: There must be a way for WordPress to prevent any plugin from creating a admin account surely?
(13:15:21) James: And only allow WordPress admin to do it
(13:15:46) James: That would eliminate the flaw
(13:15:54) James: And actually make it secure
(13:16:57) James: I don't get how all these minds working on wordpress don't get this is important
(13:17:55) Happiness Engineer: Part of the open source spirit is that everything is open and available to change for everybody.

After downloading the software you can do with it whatever you want, this is what's also appealing for a lot of developers and users.
(13:18:19) James: What you basically telling me is this flaw is OK because wordpress is open source? It's not OK?
(13:18:28) Happiness Engineer: Suggestions to improve the software can be made using a tool called Trac
(13:19:46) James: Can you send this email to me please
(13:19:54) James: I will post this message there
(13:20:13) Happiness Engineer: You will receive a transcript of this conversation after we close i.
(13:20:25) James: OK thanks let's close it
(13:23:41) Happiness Engineer: Ok, no problem.
Feel free to pop back in if there is anything else we can help you with.


Honestly think of this from a critical point of view, this is a Flaw, that should be able to be fixed so that Plugins cannot make admin accounts and only Admin can make admin accounts.

I'm not a coder, and I do not have the foggiest how this would be done, but I hope it can be done, because if you surveyed everyone who uses wordpress I think everyone would feel safer with this implemented.

Change History (2)

#1 @swissspidy
9 months ago

  • Component changed from Users to Plugins
  • Keywords reporter-feedback removed
  • Severity changed from critical to normal
  • Summary changed from Massive security flaw, please see sense. to Prevent plugins from creating admin accounts

#2 @knutsp
9 months ago

  • Keywords close added

Plugins and themes extend WordPress, the main application. When loaded they become an integral part of the main appliaction in a single process. While some processing and internal data can be protected through soft barriers like encapsulation, like objects, anu part can access all resources, like files and the database, som no stored secrets. Being open source any software algorithm is free to investigate and simulate.

WordPress explses interal and external APIs. The externals can easily be restericted ond no way to bypass. The internal APIs are only there to make it simpler do do things right. Any plugin or theme may access the database and the file system, either through a high level API (create_user), low level API ($wpdb) or more directly using PHP or loaded PHP extensions.

Plugins and themes have to be trusted. If not trusted, do not install it. It is as simple and as brutal as that.

So to do this, either

  1. An independet governing party/instance (process with an API), like, would have to confirm every user creation and/or user login and all hooks from the authentication process has to be removed.
  2. Plugins and themes has to be redefined as external applications running in isolated processes with very limited rights, and WordPress would have to be rewritten as an operating system, with own isolated processes.

This looks like having to tear down both WordPress Core, the whole WordPress ecosystem, and rebiuld it from scratch, as flawed.

Yes, the "flaw" is that the WordPress ecosystem is trust based. It puts a lot of responsibility on the site owner, depending on how secure the whole system and data must be, from chosing a web host, and depending on knowledge, inspection code, reading reviews by others users, trusting the plugin repo maintainers and the alert/suspension practices - and possibly installing the most trusted security plugin or subscribe to security reports.

The success of WordPress is, among other factors, that it is trust based. We are a community and we create open source, that anyone can make better and share alike. This is not a practical choice. It's the very foundation. And it's very secure and trustworthy, or else half the web had crumbled down. And you can make is as secure as you like and have the skills to - no limit to what yiu can bould into it and around it.

So, if insisting on paradigms like "zero trust" on all levels up to the user application, you can't use WordPress.

As both points above is out of the question and no starters, some has to come up with a completely different approach, more in the line of the nature of WordPress. It could be so simple as special, externally triggered, alerts when a new, somewhat suspicious administrator account is detected. But I will probably doubt it cant't be circumvented by a smart programmer, and we are probabbly back at current status quite soon.

Suggest wontfix.

Note: See TracTickets for help on using tickets.