got this message:
Rafie Muhammad (Patchstack) discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress HM Multiple Roles Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.
No fixing???
]]>Being aware that there is already a topic on this post, i was asked by a moderator to start a new topic. I’m referring to the same cross-scripting error that was mentioned here already and was first reported on July 18th, 2023.
Here is the report for the vulnerability in your plugin: https://patchstack.com/database/vulnerability/hm-multiple-roles/wordpress-hm-multiple-roles-plugin-1-9-reflected-cross-site-scripting-xss-vulnerability?_a_id=431
I would like to know if i can expect a fix from you soon or if i should look for (more secure) alternatives to your plugin.
Thanks for the info!
Sorry to be the bearer of bad news, but WP Toolkit on Plesk has just alerted me to the following vulnerability:
WordPress HM Multiple Roles plugin <= 1.9 – Reflected Cross Site Scripting (XSS) vulnerability
Do you know about this already and is a fix in the works? I’m sorry I can’t provide a link to the report as I’ve not been able to find it in the vulnerability databases I know of, but WP Toolkit seems to have been alerted to it, and hopefully you have too.
]]>Hi, i got a jetpack scan saying
The plugin HM Multiple Roles (version 1.6) has a known vulnerability.
Vulnerable.WP.Extension
]]>Hi
Unauthorised AJAX Calls via Freemius reported: see link
Your plugin is not in the list, but is good to check this out.
Thanks
]]>I’ve tried it in a Multi Site installation of WP and doesn’t work.
I can create the user but when I login, I get ‘ You don’t have permission to access this site’.
Thanks for support
]]>Hello Hossni, thank you very much for creating this plugin. I am having a similar issue and hope I can provide details that will help you debug, if you choose to do so. If you do choose to debug, please let me know so I can decide if I wait or look for another plugin.
I’m having a similar issue like others on here. I am also using Ultimate Member. I can confirm that when I deactivated ultimate member, this issue did not happen.
When both plugins are active. (HM Multiple Role and Ultimate Member). Ultimate Member allows me to create more roles that didn’t exist previously in WordPress.
I noticed that the original role of the user (it was set by ultimate member originally, and is a role created into wordpress by ultimate member) is the one that cannot be removed. All other roles can be added and removed. But the very first role cannot.
Another interesting thing is that, if you assign multiple roles, and then you deselect the role that is “stuck” and save, it will refresh with that role still being selected (not removed) but another role that had not been deselected was actually removed.
]]>I have many user roles created and we are using the Ultimate Member plugin.
I am using your plugin to assign multiple roles for the user accounts.
The problem is that I want to remove one of the roles from some users, but when I uncheck those user roles and save the user account, the user role is not removed as it should be.
I see that another user reported this issue on the www.remarpro.com plugin listing about 3 months ago and never received a reply.
Any assistance would be appreciated.
Hi
Any user with a basic role can go to his edit profile page and change his role to admin.
I don’t know if this is the intended behaviour, but it can be a real security issue.
Hello,
In Settings > General, we have an option to select from a dropdown a default role for new users. Can we have multiple default roles for all new users like this?
for the role to be rendered in the same language as the site, you’ll need to use translate_user_role function where you render the options
<?php esc_html_e( translate_user_role( $role_data['name'] ) ); ?>
Hello, wanted to know if we can change in the code or doing something to can change the list of roles from Account to make it a checkbox list, like that we can easly select multiples account and giving multiples roles in same time, whitout going in page profile and giving multiples roles, like i need to give 3-4 roles for a big numbers of people and actually doing it in profile page of each account is pretty long.
https://i.ibb.co/HTNrFTf/Capture-d-cran-2021-05-14-174611.png
]]>I have roles created with Ultimate User. Using HM Multiple Role, I can add new roles to users. But I cannot remove the user back. After clicking Save, the User page reloads and the role that I removed is still ticked.
]]>