SECURITY ISSUE: Plugin allows subscribers to submit draft posts

  • Resolved Joost

    (@jberculo)


    3 years, 10 months ago

    Warning! This plugin is adding the edit_post capability to subscribers, allowing them to submit new draft posts to your site, as well as seeing your moderation queues.

    As of yet, the posts will not actually appear on your blog, but I had to clean dozens of draft posts submitted by spam bots, and they keep coming.

    Disabled and will replace plugin.

    As a note: I appreciate the work plugin maintainers are putting in plugins like this. What I don’t like is them ignoring problems. I (amongst others) put in a bug report a month ago which renders the plugin useless for many users. If you are not planning to fix these, just give a heads up. We will move on and thank you for your work. But ignoring the issues and then just releasing a new version without addressing the problems is just next level.

    Instead I got a t-shirt saying ‘I was waiting for a bug getting fixed and all I got was a security issue’.

Viewing 3 replies - 1 through 3 (of 3 total)

  • Hello,

    Has this problem been solved?

    @barbroos
    As far as I understand the code, this “adding the edit_post capability to subscribers” only happens, if you check the option “Allow Contributors & Subscribers to upload avatars” on the settings page. But I am not sure about this.

    Plugin Author Collins Agbonghama

    (@collizo4sky)

    We’ve fixed this issue in the latest version released today.

    edit_post cap is no longer added.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘SECURITY ISSUE: Plugin allows subscribers to submit draft posts’ is closed to new replies.