Users can manage all post comments – privacy security issue

  • Resolved marbs

    (@marbs)


    2 years, 6 months ago

    My site is experiencing a major privacy security issue. All users can edit all comments under posts and can see the email address of others.

    What have I tried:
    1. All plugins disabled
    2. Installed permission plugin to see if users with a subscriber role have permission to edit comments
    3. Reached out to the dev. or my premium theme

    I urgently request tips and advice on how I can solve this problem as quickly as possible.

    Thank you in advance.

Viewing 2 replies - 1 through 2 (of 2 total)

  • To access the comments screen in the admin, a user’s role must have the edit_posts capability. There’s no other way to access it, and the page will die if they do. So, that is your starting point.

    However, edit_posts alone does not give permission to edit/manage individual comments. The user must also have permission to edit the specific post that an individual comment has been left on. And, that depends on a number of different capability checks.

    But, first thing’s first. If users can even access the Comments screen in the admin, they have the edit_posts capability. The easiest way to check roles/caps is to install one of the several User Role and Capability management plugins. Then, you need to check whether specific roles have the edit_posts capability assigned to them that should not.

    If the user role’s do not have that capability assigned, it likely means that you have a plugin/theme that’s active and running a filter late in the process to bypass the cap system. The only way to test that is to deactivate them all to see if it corrects the issue. Then, reactivate one by one until you find the problem plugin/theme.

    Thread Starter marbs

    (@marbs)

    Hi I just figured out what caused it.

    I had to disable all plugins first and run the plugin Reset Roles and Capabilities By Francesco Taurino.

    I then activated them one by one and the moment I activated “BuddyPress Member Blog” by WPCOMDESIGNS the issue came back and I had to uninstalled it and reset roles again.

    This issue is solved.

    • This reply was modified 2 years, 6 months ago by marbs.
Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Users can manage all post comments – privacy security issue’ is closed to new replies.