Title: [Plugin: User Role Editor] Editor can Edit Admin!! Last modified: August 19, 2016 --- # [Plugin: User Role Editor] Editor can Edit Admin!! * [Sahar](https://wordpress.org/support/users/saharusa/) * (@saharusa) * [16 years, 2 months ago](https://wordpress.org/support/topic/plugin-user-role-editor-editor-can-edit-admin/) * Hi there, Thanks for version 2, but still there is a security hole: * I gave Editor ability to see & edit users * When I edit user, this is the url: /wp-admin/user-edit.php?user_id=20&wp_http_referer =/wp-admin/users.php * If I change the user_id from 20 to 1 (the admin id) I can edit the admin user level and set it to editor and below. * [http://wordpress.org/extend/plugins/user-role-editor/](http://wordpress.org/extend/plugins/user-role-editor/) Viewing 9 replies - 1 through 9 (of 9 total) * [Vladimir Garagulya](https://wordpress.org/support/users/shinephp/) * (@shinephp) * [16 years, 2 months ago](https://wordpress.org/support/topic/plugin-user-role-editor-editor-can-edit-admin/#post-1452078) * Hi, You are right. It is the real security hole. I will investigate the subject and return with the solution. Thanks for the help. Regards, Vladimir. * [Vladimir Garagulya](https://wordpress.org/support/users/shinephp/) * (@shinephp) * [16 years, 2 months ago](https://wordpress.org/support/topic/plugin-user-role-editor-editor-can-edit-admin/#post-1452116) * I fixed this issue as for `user-edit.php?user_id=` as for `user.php?action=delete& user=` requests in URE version 2.0.1 Thanks again. Please check and share with your test results. * Thread Starter [Sahar](https://wordpress.org/support/users/saharusa/) * (@saharusa) * [16 years, 2 months ago](https://wordpress.org/support/topic/plugin-user-role-editor-editor-can-edit-admin/#post-1452128) * I confirm, not possible to edit admin by changing id at the url anymore. * Thanks a lot. * [bluemason](https://wordpress.org/support/users/bluemason/) * (@bluemason) * [16 years, 1 month ago](https://wordpress.org/support/topic/plugin-user-role-editor-editor-can-edit-admin/#post-1452359) * I tried switching off edit_others_pages and delete_others_pages for the Editor role, then went to Pages and found that the Trash option and Empty Trash in the Trash bin were available and worked for an Editor for pages created by Admin. * I’m on 2.9.2. * Thanks * [Vladimir Garagulya](https://wordpress.org/support/users/shinephp/) * (@shinephp) * [16 years ago](https://wordpress.org/support/topic/plugin-user-role-editor-editor-can-edit-admin/#post-1452370) * Excuse me for so late reply. I counted this topic as closed and did not look into it long time. 1st, I tried to repeat your actions and have not ‘Edit’ option at the pages list for admin created pages – just ‘View’ one. So I have not any Trash links for modified this way Editor role. 2nd, If some problem exists in this case, I’m not sure that it is the URE plugin problem. * Thread Starter [Sahar](https://wordpress.org/support/users/saharusa/) * (@saharusa) * [15 years, 7 months ago](https://wordpress.org/support/topic/plugin-user-role-editor-editor-can-edit-admin/#post-1452388) * Latest version brings back this old problem, Editor got Administrator power now. * [Vladimir Garagulya](https://wordpress.org/support/users/shinephp/) * (@shinephp) * [15 years, 7 months ago](https://wordpress.org/support/topic/plugin-user-role-editor-editor-can-edit-admin/#post-1452389) * Ups! Thank you. I will check and return with update ASAP. * [Vladimir Garagulya](https://wordpress.org/support/users/shinephp/) * (@shinephp) * [15 years, 7 months ago](https://wordpress.org/support/topic/plugin-user-role-editor-editor-can-edit-admin/#post-1452390) * Please try this version [http://www.shinephp.com/wp-content/downloads/wordpress/plugins/user-role-editor-2.2.3.zip](http://www.shinephp.com/wp-content/downloads/wordpress/plugins/user-role-editor-2.2.3.zip) Only user with Administrator role and superadmin user multi-site environment have access to the User Role Editor Settings page now. I need to update code yet in order sub-blog admin under multi-site can use URE too for its own sub- blog. I plan to make it tomorrow. * There is a hole if user has ‘delete_users’ and plugin management capabilities as WP consider him administrator then and gives access to the Plugins menu, where user can deactivate URE or just upload any PHP code as WP plugin… It is more a question of the trust and accuracy when giving critical rights to someone. * Thread Starter [Sahar](https://wordpress.org/support/users/saharusa/) * (@saharusa) * [15 years, 7 months ago](https://wordpress.org/support/topic/plugin-user-role-editor-editor-can-edit-admin/#post-1452391) * Thank you Vladimir, Things are back to normal now. Viewing 9 replies - 1 through 9 (of 9 total) The topic ‘[Plugin: User Role Editor] Editor can Edit Admin!!’ is closed to new replies. * 9 replies * 3 participants * Last reply from: [Sahar](https://wordpress.org/support/users/saharusa/) * Last activity: [15 years, 7 months ago](https://wordpress.org/support/topic/plugin-user-role-editor-editor-can-edit-admin/#post-1452391) * Status: not resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics