Title: security issue in multisite install Last modified: September 21, 2018 --- # security issue in multisite install * [Stefan Kremer (stk_jj)](https://wordpress.org/support/users/stk_jj/) * (@stk_jj) * [7 years, 8 months ago](https://wordpress.org/support/topic/security-issue-in-multisite-install/) * once memphis documents library is enabled the user-writes management is broken. editors (not tested with other user-roles author, contributor, subscriber) have the right to delete the entire sub-instance which is normaly only alowed to admins. This behaviour stays even when memphis documents library is disabled. The entry“ delete site” stays in the tools menu and is usable! The file [https://mydomain.tld/wp-admin/ms-delete-site.php](https://mydomain.tld/wp-admin/ms-delete-site.php) can be triggered. - This topic was modified 7 years, 8 months ago by [Stefan Kremer (stk_jj)](https://wordpress.org/support/users/stk_jj/). Viewing 3 replies - 1 through 3 (of 3 total) * Plugin Author [bhaldie](https://wordpress.org/support/users/bhaldie/) * (@bhaldie) * [7 years, 8 months ago](https://wordpress.org/support/topic/security-issue-in-multisite-install/#post-10717988) * Is the user rights manager a plugin? * you have to be very careful when give a role type admin right to mDocs. “Manage Options” is a very powerful rule and should only be given to the most trusted role types. * Deleting mDocs will not revert the roles, you must turn the rules off in the mDocs settings then you can delete mDocs. - This reply was modified 7 years, 8 months ago by [bhaldie](https://wordpress.org/support/users/bhaldie/). * Thread Starter [Stefan Kremer (stk_jj)](https://wordpress.org/support/users/stk_jj/) * (@stk_jj) * [7 years, 8 months ago](https://wordpress.org/support/topic/security-issue-in-multisite-install/#post-10718016) * a) managing options in mDocs shall not lead to a privilege escalation within the multisite. It’s still a major bug and a security flaw. It’s something completely different to manage settings of a plugin vs. deleting an entire sub-site from a multisite install! * b) why are roles not reverted, once the plugin is deinstalled? Why is there no roleback? Or other: if this behavior (for whatever reason) is intended – where’s the documentation for this? * Plugin Author [bhaldie](https://wordpress.org/support/users/bhaldie/) * (@bhaldie) * [7 years, 8 months ago](https://wordpress.org/support/topic/security-issue-in-multisite-install/#post-10718086) * A) Can you go into detail on what you are referring to. Step by step on how to recreate this issue. * B) Rolling back is not an option, roles and permission is a WordPress setting. I will right now documentation on this in the next version of mDocs if that helps. Viewing 3 replies - 1 through 3 (of 3 total) The topic ‘security issue in multisite install’ is closed to new replies. * ![](https://s.w.org/plugins/geopattern-icon/memphis-documents-library_91918f. svg) * [Memphis Documents Library](https://wordpress.org/plugins/memphis-documents-library/) * [Frequently Asked Questions](https://wordpress.org/plugins/memphis-documents-library/#faq) * [Support Threads](https://wordpress.org/support/plugin/memphis-documents-library/) * [Active Topics](https://wordpress.org/support/plugin/memphis-documents-library/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/memphis-documents-library/unresolved/) * [Reviews](https://wordpress.org/support/plugin/memphis-documents-library/reviews/) * 3 replies * 2 participants * Last reply from: [bhaldie](https://wordpress.org/support/users/bhaldie/) * Last activity: [7 years, 8 months ago](https://wordpress.org/support/topic/security-issue-in-multisite-install/#post-10718086) * Status: not a support question