security issue in multisite install

  • once memphis documents library is enabled the user-writes management is broken. editors (not tested with other user-roles author, contributor, subscriber) have the right to delete the entire sub-instance which is normaly only alowed to admins. This behaviour stays even when memphis documents library is disabled. The entry “delete site” stays in the tools menu and is usable! The file https://mydomain.tld/wp-admin/ms-delete-site.php can be triggered.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author bhaldie

    (@bhaldie)

    Is the user rights manager a plugin?

    you have to be very careful when give a role type admin right to mDocs. “Manage Options” is a very powerful rule and should only be given to the most trusted role types.

    Deleting mDocs will not revert the roles, you must turn the rules off in the mDocs settings then you can delete mDocs.

    • This reply was modified 6 years, 2 months ago by bhaldie.

    a) managing options in mDocs shall not lead to a privilege escalation within the multisite. It’s still a major bug and a security flaw. It’s something completely different to manage settings of a plugin vs. deleting an entire sub-site from a multisite install!

    b) why are roles not reverted, once the plugin is deinstalled? Why is there no roleback? Or other: if this behavior (for whatever reason) is intended – where’s the documentation for this?

    Plugin Author bhaldie

    (@bhaldie)

    A) Can you go into detail on what you are referring to. Step by step on how to recreate this issue.

    B) Rolling back is not an option, roles and permission is a WordPress setting. I will right now documentation on this in the next version of mDocs if that helps.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘security issue in multisite install’ is closed to new replies.