[wp-trac] [WordPress Trac] #45070: Entire Media Library & permissions available to subscribers by accessing wp-admin as a subscbriber only.

WordPress Trac noreply at wordpress.org
Wed Oct 10 02:47:15 UTC 2018 

#45070: Entire Media Library & permissions available to subscribers by accessing
wp-admin as a subscbriber only.
--------------------------+-----------------------------
 Reporter:  tamramc       |      Owner:  (none)
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  General       |    Version:  4.9.8
 Severity:  major         |   Keywords:  has-screenshots
  Focuses:                |
--------------------------+-----------------------------
 I was trying to hide the admin toolbar as I don't want users accessing the
 backend/Dashboard for any reason. I updated the wp-includes/admin-bar.php
 file to hide the toolbar. however, immediately i typed <domainname>/wp-
 admin while logged in as a subscriber to test, and was able to access wp-
 admin, which is strange because if I log in as a contributor using wp-
 login.php, I immediately receive "not authorized" after login.

 in this case, all options were not available except for "Media" option.
 even "New" is in Menu bar with option to create new media file. this is
 wrong because if a user is replying to a post, users cannot upload media
 to post content, but only create link to media.

 the Media list is blank (user has no media files as new user) when viewed
 in pane view. but user can add new media, including videos, which I didn't
 think would be allowed for security reasons. but in Media "List" view
 ALLLLLLLL media files created by admin are shown, including files not
 attached to any posts but unattached and the admins' names are shown,
 including private admin names.

 this is an issue for me because of brute force login attempts. I expected
 that if a user is just a subscriber only "edit profile" would be
 available.

 persons run script to get usernames, but all a person has to do is
 register a new account, open wp-admin and select Media and usernames will
 be available in list.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/45070>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list