Security concern – Groups overrides wp-config.php settings

  • Hi there,

    I noticed that if you have the Groups setting, “Administrators override all access permissions derived from Groups capabilities” checked, Groups overrides this in wp-config.php:

    define( 'DISALLOW_FILE_MODS', true );

    This creates a security issue, since if the site owner wishes to disable file editing & Plugin installation from even WordPress administrators, all a WordPress administrator has to do is check that box to reenable his or her access to plugins & theme editing.

    I tested this using WordPress 4.61 and Groups 1.13.1 on two different installations, including a vanilla WordPress install with only Groups plugin enabled and default 2016 theme.

    Thanks!

    • This topic was modified 8 years, 2 months ago by nocabt.
Viewing 1 replies (of 1 total)
  • Plugin Author Kento

    (@proaktion)

    Hi @nocabt,

    Thanks for pointing this out, in this case that would indeed re-enable the ability to edit plugins etc. Maybe we should have the option to disable administrator overrides for Groups also in wp-config.php … or disable that option based on certain values such as when DISALLOW_FILE_MODS is enabled.

    I’ll have a look at this and any additional feedback is of course welcome.

    Cheers

Viewing 1 replies (of 1 total)
  • The topic ‘Security concern – Groups overrides wp-config.php settings’ is closed to new replies.