However, I must say that what you are saying is a bit misleading. First, this does not qualify as a major security flaw.
Really? The fact that a subscriber has the capability to bulk delete 20,000 photos feels like a security flaw to me, but we can refer to it as a bug if it makes you feel better.
Most importantly, it is not true that any user can restore backups, bulk optimize or bulk delete images. Only administrators and editors can perform such actions.
I wish that were the case. Actually, it’s quite true and when I tried to post snipboard screenshots, I received a yellow warning message showing that I wasn’t permitted to do so.
They weren’t just “appearing” to be an option by the annoying menu that couldn’t be removed. The option worked, they also could fully restore the shortpixel database. Again, tried to post screenshots, but I got my hand slapped.
In any case, I’m sure you’ll be happy to hear that we have already on our roadmap a feature request to customize the roles that can access certain menus or do certain actions.
That is refreshing as I do not wish to use multiple functions to protect my images:
1. To disallow users from seeing anything but their own images
2. to disallow the List Mode- which gave them access to Shortpixel Compression Settings
3. to disable the bulk Delete mode that does indeed still work
$subscriber->remove_cap('handleCustomBulk');
$subscriber->remove_cap('manage_media_columns');
At this point I’m good, I finally secured my site, and I was just letting you know so you could address the issues as you see fit.
