Can any WP site low-role help to hack the admin access?

Has your site been hacked or are you asking how to hack one? ??

It’s possible that some plugin or theme functions may not properly test user capabilities to allow an escalation, but I sense you’re looking for something else. What’s up?

Historically there been some vulnerabilities in plugins which allowed privileges escalation.
Just make sure your WP installation is up to date to avoid that.
Current versions should not have that flaws. At least such things are fixed as soon as they become known to plugin developers.

It’s just a question about – how to protect site sensitive data and site settings (as shop, clients info, PayPayl payments, payments wallet ID, etc) form not-so-reliable new employees, unknown new support stuff, etc which have their own site accounts with role lower then Administrator.

• This reply was modified 3 years, 8 months ago by johnynla.

It’s very important to vet your employees.
If you cannot reasonably trust them, then you should try not to hire them.
Not all system security is about code. There are lots of other important processes.
Training, contracts, good HR practices.

If you are concerned about the security of your code, you can post on https://jobs.wordpress.net to hire someone to check it out for you.
No volunteer in these forums can log into your site (and you should report them if they offer to – it can turn out really, really badly).
This is a very broad question that cannot be answered without an expert seeing your installation.

Also note that the highest role in a WordPress site is “Editor”. It is equal to “Administrator”, not beneath it. Users with the Editor role are considered to be trusted users.

Carike (@carike)
At internet overall and a specially at a not very professional WP area it’s a normal practice now to hire some newbie’s and low-cost employee from faraway countries as Vietnam/India/Africa/etc. It’s just impossible to check them from all sides and impossible to control their work&live completely. My, as a professional business DB developer opinion, that WP a long time ago needs a much more powerful build in roles&restrictions system. Last business oriented DB which I develop have more then 50 (yes, fifty) users access rules and options. WP have only one – predefined roles which also seems have a some questionable features. It’s really weakly and scares.

Samuel Wood (Otto) (@otto42)
Based on official WP roles description:

Administrator (slug: ‘administrator’) – somebody who has access to all the administration features within a single site.
Editor (slug: ‘editor’) – somebody who can publish and manage posts including the posts of other users.

Editor must not have possibility to manage plugins, edit theme files, manage users a specially Administrator, etc?

• This reply was modified 3 years, 8 months ago by johnynla.
• This reply was modified 3 years, 8 months ago by johnynla.

@johnynla WordPress is publishing software. The Editor has the power to publish any HTML on the site, therefore that is the maximum power available and the highest role.

The Administrator can also configure other elements of the site, but that is an equal role, just with a different scope. It is not greater than the Editor role, it is equal to it.

OK, then which WP role you can recommend for the WP site-project not-so-reliable new employees, unknown new support stuff, etc users:
– which have enough capabilities for support, manage sales, etc;
– which are the most protected from inside hacks, site damaging from dashboard, WC orders spoil, etc?

• This reply was modified 3 years, 8 months ago by johnynla.

WordPress offers default roles, but it is entirely possible to create new, custom roles, with a selection of pre-existing and custom capabilities.
The infrastructure exists – it is a matter of whether plugin developers implement them correctly or not.
Privilege escalation happens when there is a missing / inappropriate capabilities check in the code.

At internet overall and a specially at a not very professional WP area it’s a normal practice now to hire some newbie’s and low-cost employee from faraway countries as Vietnam/India/Africa/etc.

<- Does not appreciate the implication that people from Vietnam, India, Africa, etc. are not professional.
If someone wants to cut costs by cutting corners when it comes to vetting and / or paying their employees less, then that is on them.
Of course, even if best practices are followed, it is still important to give the lowest possible access to each person, but that is highly context dependent, as it depends on what you need your employees to do.
Again, determining what the appropriate role is for various employees in a particular organization is well outside of the scope of these forums. If you need assistance compiling organizational charts, lists of duties and getting your code to correspond to that, pay someone (and make sure to vet them well beforehand).