Title: [Plugin: User Switching] Security
Last modified: August 20, 2016

---

# [Plugin: User Switching] Security

 *  Resolved [Gabriel Reguly](https://wordpress.org/support/users/gabriel-reguly/)
 * (@gabriel-reguly)
 * [14 years, 7 months ago](https://wordpress.org/support/topic/plugin-user-switching-security/)
 * Hi,
 * This was reported as fixed, but the flaw still exists.
 * An administrator can become a super-administrator in multisite.
 * Regards,
    Gabriel
 * [http://wordpress.org/extend/plugins/user-switching/](http://wordpress.org/extend/plugins/user-switching/)

Viewing 3 replies - 1 through 3 (of 3 total)

 *  Thread Starter [Gabriel Reguly](https://wordpress.org/support/users/gabriel-reguly/)
 * (@gabriel-reguly)
 * [14 years, 7 months ago](https://wordpress.org/support/topic/plugin-user-switching-security/#post-2388202)
 * Hi again,
 * I have done a fix for the issue, in _function map\_meta\_cap(..)_
 * replace
 *     ```
       if ( ( 'switch_to_user' == $cap ) and ( $args[0] == $user_id ) )
       ```
   
 * with
 *     ```
       if ( ( 'switch_to_user' == $cap ) and ( ( $args[0] == $user_id ) or ( is_super_admin( $args[0] ) ) ) )
       ```
   
 * Regards,
    Gabriel
 *  Plugin Author [John Blackbourn](https://wordpress.org/support/users/johnbillion/)
 * (@johnbillion)
 * WordPress Core Developer
 * [14 years, 7 months ago](https://wordpress.org/support/topic/plugin-user-switching-security/#post-2388376)
 * Hi Gabriel,
 * Thanks for the feedback. I cannot reproduce this problem.
 * The ‘do_not_allow’ capability in `map_meta_cap()` only affects super-admins and
   simply prevents them from switching to themselves. Your fix will prevent super
   admins switching to other super admins.
 * The `user_cap_filter()` function grants the ‘switch_to_user’ capability to users
   only if they can edit the user they’re trying to switch to (and if it’s not themselves).
   Site admins cannot edit super admins, so therefore they’re not granted the ‘switch_to_user’
   capability for super admins.
 * Are you running a plugin which might be affecting user roles or capabilities?
 *  Thread Starter [Gabriel Reguly](https://wordpress.org/support/users/gabriel-reguly/)
 * (@gabriel-reguly)
 * [14 years, 7 months ago](https://wordpress.org/support/topic/plugin-user-switching-security/#post-2388383)
 * Hi John,
 * As a matter of fact, I am running some code that is causing the issue.
 * I’ll have a look at it to make a fix at the correct place.
 * Thanks for your support.
 * Regards,
    Gabriel

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘[Plugin: User Switching] Security’ is closed to new replies.

 * ![](https://ps.w.org/user-switching/assets/icon.svg?rev=3193956)
 * [User Switching](https://wordpress.org/plugins/user-switching/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/user-switching/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/user-switching/)
 * [Active Topics](https://wordpress.org/support/plugin/user-switching/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/user-switching/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/user-switching/reviews/)

 * 3 replies
 * 2 participants
 * Last reply from: [Gabriel Reguly](https://wordpress.org/support/users/gabriel-reguly/)
 * Last activity: [14 years, 7 months ago](https://wordpress.org/support/topic/plugin-user-switching-security/#post-2388383)
 * Status: resolved