Title: Plugin security issues
Last modified: January 17, 2017

---

# Plugin security issues

 *  Resolved [befree22](https://wordpress.org/support/users/befree22/)
 * (@befree22)
 * [9 years, 4 months ago](https://wordpress.org/support/topic/plugin-security-issues/)
 * Hi,
 * I like your plugin but I’m very concerned about the security issues that the 
   following 2 reviews left at:
 * 1. [https://wordpress.org/support/topic/serious-security-issues/](https://wordpress.org/support/topic/serious-security-issues/)—
   Did you disable access to media library?
 * 2. [https://wordpress.org/support/topic/easily-hacked/](https://wordpress.org/support/topic/easily-hacked/)—
   Did you add wp_nonce to prevent bots added to prevent bot submissions?
 * Also, I’d like to know if the pro version permits multiple url submissions — 
   ex. I’d like users to be able to reference several sources for articles/content
   they submit.
 * Awaiting a reply

Viewing 1 replies (of 1 total)

 *  Plugin Author [Jeff Starr](https://wordpress.org/support/users/specialk/)
 * (@specialk)
 * [9 years, 4 months ago](https://wordpress.org/support/topic/plugin-security-issues/#post-8665312)
 * Hi befree22,
 * Glad to help:
 * 1) No need to disable anything, WP’s Add Media functionality works on the front-
   end exactly like it does in the Admin Area, which is expected and totally safe.
   To save you some time reading through that tedious thread, allow me to summarize
   how it works:
 * – Visitor, Subscriber, and Contributor – don’t have access to the Media Library
   –
   Author and better – do have access to the Media Library
 * Further:
 * – Visitor, Subscriber, and Contributor – can’t modify *any* media files
    – Author–
   can only modify their *own* files – Editor and better – can modify *any* media
   files
 * Note that all of this applies regardless of whether the user is working on the
   front-end (e.g., via USP form) or via the Admin Area. It’s the same both sides
   of the fence.
 * So if you have users with sufficient level capabilities, they will be able to
   do on the front-end the same things they can do in the Admin Area. Exactly how
   a plugin that is tightly integrated with WordPress should work.
 * 2) Yes complete nonce functionality was added a long time ago.
 * I hope that helps with any concerns, let me know if I may be of service.
    -  This reply was modified 9 years, 4 months ago by [Jeff Starr](https://wordpress.org/support/users/specialk/).

Viewing 1 replies (of 1 total)

The topic ‘Plugin security issues’ is closed to new replies.

 * ![](https://ps.w.org/user-submitted-posts/assets/icon-256x256.png?rev=2567685)
 * [User Submitted Posts – Enable Users to Submit Posts from the Front End](https://wordpress.org/plugins/user-submitted-posts/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/user-submitted-posts/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/user-submitted-posts/)
 * [Active Topics](https://wordpress.org/support/plugin/user-submitted-posts/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/user-submitted-posts/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/user-submitted-posts/reviews/)

## Tags

 * [form](https://wordpress.org/support/topic-tag/form/)
 * [submission](https://wordpress.org/support/topic-tag/submission/)
 * [user](https://wordpress.org/support/topic-tag/user/)

 * 1 reply
 * 2 participants
 * Last reply from: [Jeff Starr](https://wordpress.org/support/users/specialk/)
 * Last activity: [9 years, 4 months ago](https://wordpress.org/support/topic/plugin-security-issues/#post-8665312)
 * Status: resolved