WordPress.org

Make WordPress Core

Opened 6 years ago

Closed 6 years ago

Last modified 6 years ago

#6662 closed defect (bug) (fixed)

Users without capability "create_users" can add new users

Reported by: imwebgefunden Owned by:
Milestone: 2.5.1 Priority: high
Severity: critical Version: 2.5
Component: Security Keywords:
Focuses: Cc:

Description

If a user has the capability "edit_users" and not the capability "create_users" he can add new users.
The defect is in admin-ajax.php. The check is against "edit_users" and not "create_users". I've attached a patch to fix this issue.
A second one - more an AddOn and not an defect: We should show the add user form only if the current user has the capability to add a new user. If the current user has the capability "create_users" the form will be shown. The second patch I attached make this job.

Attachments (2)

ajax_create_users.diff (381 bytes) - added by imwebgefunden 6 years ago.
Patch for admin-ajax.php to check against "create_users"
hide_create_user_form.diff (365 bytes) - added by imwebgefunden 6 years ago.
Show "Add User" Form only if the current user can create new users

Download all attachments as: .zip

Change History (5)

imwebgefunden6 years ago

Patch for admin-ajax.php to check against "create_users"

imwebgefunden6 years ago

Show "Add User" Form only if the current user can create new users

comment:1 imwebgefunden6 years ago

  • Severity changed from normal to critical

comment:2 ryan6 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [7659]) Check create_users cap instead of edit_users wgen adding/inserting users. Props imwebgefunden. fixes #6662 for 2.5

comment:3 ryan6 years ago

(In [7660]) Check create_users cap instead of edit_users wgen adding/inserting users. Props imwebgefunden. fixes #6662 for trunk

Note: See TracTickets for help on using tickets.