Import User with Higher Role

  • Resolved nonprofitweb

    (@nonprofitweb)


    6 years ago

    Thank you for your plugin. However, there is a security vulnerability in the import functionality. A user with the capability “create_users” can import users. Wonderful! However, this plugin doesn’t check to see if the role being imported is the same level or below of the current user. This allows a user to import a user with higher capabilities. A user adding a user through the WordPress Add User page cannot add a user higher than their role, so this issue is created by this plugin.

    While of course you should trust anyone that has create_users capability, in some cases this person may not be an administrator. A use case is a website for a client that has far ranging capability but more of the administration roles are left to someone else, following good security practices. Please fix major security loophole!

    Thank you.

Viewing 5 replies - 1 through 5 (of 5 total)
  • Thread Starter nonprofitweb

    (@nonprofitweb)

    6 years ago

    I went digging into the code a little bit and came up with this solution, all modifications to importer.php:

    At the top where you are assigning variables, add:
    $editable_roles = array_keys(get_editable_roles());

    And then after line 221, after the new/modified user array of roles is defined, add the following:

    if (!empty(array_diff($role, $editable_roles))) {
	$error_string = 'You do not have permission to assign this role';
	echo '<script>alert("' . __( 'Problems with user:', 'import-users-from-csv-with-meta' ) . $username . __( ', we are going to skip. \r\nError: ', 'import-users-from-csv-with-meta') . $error_string . '");</script>';
	$created = false;
	continue;
}

    I have not tested with cron or frontend but it appears to be working fine on the backend.

    An additional improvement to the backend page would be to ad id’s to the form fields. This way they can be targeted through css to hide and clean up the UI for options that are not important for non administrators. I’ll be glad to do this if you like and send you my revisions.

    Plugin Author Javier Carazo

    (@carazo)

    6 years ago

    @nonprofitweb,

    Thanks for reporting the problem and the solution. I have just added it. New version has your fix.

    An additional improvement to the backend page would be to ad id’s to the form fields. This way they can be targeted through css to hide and clean up the UI for options that are not important for non administrators. I’ll be glad to do this if you like and send you my revisions.

    Yes, it would be great.

    malanciault

    (@malanciault)

    6 years ago

    Hi,

    I’m logged in as admin and I’m importing a CSV where I added a Role column. I get this error:

    “You do not have permission to assign this role”

    Let me know what I can do to fix. Thanks

    malanciault

    (@malanciault)

    6 years ago

    My bad. No error. The role I was assigning did not exist 😉

    Plugin Author Javier Carazo

    (@carazo)

    6 years ago

    @malanciault, we have to improve the error reporting 🙂

Viewing 5 replies - 1 through 5 (of 5 total)

The topic ‘Import User with Higher Role’ is closed to new replies.