Bug Report: Post Author Can Be Assigned to Subscribers via Gutenberg Editor

[chilu5504]

Hello WordPress Team,

Good evening! I regularly use WordPress for both client projects and personal work, and while testing the Gutenberg editor, I noticed a bug.

Normally, when editing a post in Gutenberg, the Author option on the right-hand side shows a dropdown with users who have the roles Administrator, Editor, or Contributor — but not Subscribers (which is correct).

However, if I inspect the element in the browser and manually change the dropdown value to a user ID that belongs to a Subscriber, the post gets reassigned to that Subscriber.

This seems like an issue, because Subscribers should not be selectable as post authors into the Editor in admin side.

I’ve attached screenshots to make this clearer:

User list: ​https://prnt.sc/9XIMve4OaJfJ

Post list (created by Admin): ​https://prnt.sc/i_uEpCAZnBB8

Author dropdown in editor: ​https://prnt.sc/s5Gcu2eGVYSI
, ​https://prnt.sc/MzDGzWtO2bRb

After changing dropdown value to Subscriber user ID: ​https://prnt.sc/VNH1QBIcRjN5

Subscriber “Chilu” appearing in the list: ​https://prnt.sc/lOH2a1ZCgFWZ

Post successfully assigned to Subscriber: ​https://prnt.sc/Qnnjikk3jevz

Could you please review this bug? I believe it may allow unintended assignment of posts to users with the Subscriber role.

Thank you for your time and support!

Best regards,
Chirag Patel

[chilu5504]

I’ve included the screenshot links in the ticket description.

[rishabhwp]

I was able to successfully reproduce this issue using the latest Gutenberg repository. After going through the codebase, I found that this is a Gutenberg-specific security vulnerability rather than a WordPress Core issue.

Root Cause: The Gutenberg editor correctly filters the author dropdown to display only users with appropriate capabilities (Administrator, Editor, Contributor). However, there is no client-side validation when the author field is updated via DOM manipulation in the post settings panel. This allows subscribers to be assigned as post authors by manually changing dropdown values through browser developer tools.

Check ​combobox.js and ​select.js

Should I open an issue in the Gutenberg repository for this?

[rishabhwp]

I’ve reported this issue on Gutenberg ​#71299

[peterwilsoncc]

I've dropped the priority as it's somewhat intentional that subscribers can be delegated as an author. The use case is for guest posts or similar in which an editor wishes to create an author without giving them the ability to edit content.

That said, I think it would be a good enhancement to prevent the assignment to user accounts that do not appear in the author dropdown list.

[Mamaduka]

I'm really not sure about this one.

Only users who can make complete modifications to everyone's posts (edit_others_posts) can assign the users; others will get the error:

Updating failed. Sorry, you are not allowed to update posts as this user.

Adding validation to a couple of components won't change much. The same user can dispatch data actions via DevTools - wp.data.dispatch( 'core/editor' ).editPost( { author: 2 } );.

The "problem" also affects the classic editor. I couldn't find it, but there could be a similar report for it.

[chilu5504]

Replying to rishabhwp:

I was able to successfully reproduce this issue using the latest Gutenberg repository. After going through the codebase, I found that this is a Gutenberg-specific security vulnerability rather than a WordPress Core issue.

Root Cause: The Gutenberg editor correctly filters the author dropdown to display only users with appropriate capabilities (Administrator, Editor, Contributor). However, there is no client-side validation when the author field is updated via DOM manipulation in the post settings panel. This allows subscribers to be assigned as post authors by manually changing dropdown values through browser developer tools.

Check ​combobox.js and ​select.js

Should I open an issue in the Gutenberg repository for this?

[chilu5504]

Yes , Please update me

[wildworks]

Note that this behaviour isn't specific to Gutenberg (Block Editor): You can assign a subscriber user as the author in the classic editor and quick edit as well.

If the current behaviour is truly a problem, I think the problem should be fixed on the server side, not on the client side.

[rishabhwp]

My bad, I should have dug into the issue more carefully before jumping to that conclusion. The filtered author dropdown and the ability to change its value through the DOM led me to assume that it was a client side validation issue in the gutenberg component. I now understand that client side validation would only fix the specific scenario described in the issue and not the broader behavior that also exists in the classic editor and through data dispatch or other interfaces. I will be more careful going forward.