Security Hole: Temporary Administrator User Can Delete Main Administrator User

  • jetxpert

    (@jetxpert)


    4 years ago

    POTENTIAL SECURITY HOLE

    Is their any way the main website Administrator can grant temporary Administrator status to another user with the following exceptions?

    (1) The temporary Administrator cannot access iThemes Security Plugin settings.

    (2) The temporary Administrator cannot delete the main website Administrator user profile(s).

    We looked at all plugin settings (including User Groups), but none seem to work.

    To confirm they didn’t work, we installed the plugin “User Switching“, switched to the temporary Administrator’s user profile and was able to access the main website Administrator’s credentials with the ability to delete them from our website.

    Please advise. If not possible, I would consider the above a major security hole in your plugin.

    Thank you!

  • The topic ‘Security Hole: Temporary Administrator User Can Delete Main Administrator User’ is closed to new replies.