[wp-trac] [WordPress Trac] #14578: Security issue after plugin deactivation (by accidentally creating administrators)

WordPress Trac wp-trac at lists.automattic.com
Tue Aug 10 10:00:29 UTC 2010


#14578: Security issue after plugin deactivation (by accidentally creating
administrators)
--------------------------+-------------------------------------------------
 Reporter:  Ivolution     |       Owner:                                 
     Type:  defect (bug)  |      Status:  new                            
 Priority:  normal        |   Milestone:  Awaiting Review                
Component:  General       |     Version:  3.0.1                          
 Severity:  major         |    Keywords:  plugin, administrator, security
--------------------------+-------------------------------------------------
 Take these steps:

 1. Activate a plugin that creates role on activation. For example, it
 calls "add_role( 'photo_uploader', 'Photo Uploader', array( 'read')
 );"[[BR]]
 2. In General Settings, set the Default User Role to this new role, 'Photo
 Uploader'.[[BR]]
 3. Deactivate the plugin, removing the roles: "remove_role(
 'photo_uploader');"[[BR]]
 4. In General Settings, the Default User Role now displays
 'Administrator'. (In the database, it still says 'photo_uploader'.)[[BR]]
 5. When creating a new user (as admin), the role dropdown-box now displays
 'Administrator' as role for this new user. This new user _will_ have role
 'Administrator' if an unsuspecting admin does not explicitly alter the
 role in the dropdown-box.[[BR]]

 This way, an unsuspecting adminstrator might accidentally create new
 admins for his blog.

 I have also tested this for new users registering themselves. Fortunately,
 they are assigned the role 'None', not 'Administrator'.

 Greetings,

 Ivo van der Linden[[BR]]
 (employee of LaQuSo @ Eindhoven University of Technology)

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/14578>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list