Updates on CyberSecurity, WordPress and what we're cooking in the lab today.

Vulnerability in User Role Editor – Users Can Become Admins

This entry was posted in WordPress Security on April 4, 2016 by Mark Maunder   20 Replies

There is a major vulnerability in a popular plugin with over 300,000 active installs: User Role Editor 4.24 and older.

The vulnerability allows any registered user to gain administrator access. For sites that have open registration, this is a serious security hole.

If you are running User Role Editor, upgrade to the newest version which is 4.25 immediately.

Looking at a diff of the newest plugin release, the author was checking if users have access to edit another user using the ‘current_user_can’ function and checking for the ‘edit_user’ (without an ‘s’ on the end) capability on a specific user ID. The green code below was added.

Screen Shot 2016-04-04 at 9.58.02 AM

A user can edit themselves, and so sending data to the plugin that supplies the current user’s ID to this access check would bypass the check.

The fix released in version 4.25 (new code shown in green above) checks if the current user has the ‘edit_users’ capability which is a general access check that would fix this vulnerability.

The edit_user check that was being used is undocumented on the Roles wiki page, but it is used by WordPress core (in a secure way). So if you are using this check in your plugins, it is important to realize that it can be bypassed if used as a general access level check.

As always, please make sure that the rest of your plugins are at the newest version because we have seen several, less impactful vulnerabilities emerge during the past month.

Regards,

The Wordfence Team.

Did you enjoy this post? Share it!


Your rating:

20 Comments on "Vulnerability in User Role Editor – Users Can Become Admins"

Monish April 4, 2016 at 10:48 am • Reply

Thanks for sharing this post and luckily I didn't use this but your work is excellent.

Vatsala Shukla April 4, 2016 at 10:52 am • Reply

Frightening vulnerability, Wordfence Team. I've noticed certain plugins having frequent updates of late and many of them are to fix bugs but the thought that we can invite vulnerability to our website is a major concern.

James S McCauley April 4, 2016 at 11:19 am • Reply

Thanks!

Steve April 4, 2016 at 11:26 am • Reply

Thanks for keeping all of us informed. Invaluable service!

Terence Pera April 4, 2016 at 11:36 am • Reply

Thanks for the Update You guys are doing a marvellous job
Thanks again.
Terence

Rick Noel April 4, 2016 at 12:21 pm • Reply

Thanks for the heads up on this vulnerability and for creating and maintaining such a fantastic WordPress security plugin!

soufiane April 4, 2016 at 12:29 pm • Reply

Hello and thanks for the alert,

I just upgraded my plugin "User Role Editor" after receiving your message, thanks a lot!

Keep up the good work, you have no idea how you saved my website after getting hacked, your plugin found all the c99 and trojans on the plugins folder...

Again, I can not thank you enough.

Doc April 4, 2016 at 12:47 pm • Reply

Does this vulnerability apply to the Pro version of the plugin as well?

Vladimir April 4, 2016 at 6:19 pm • Reply

Yes, it was applied to the Pro version too.
Pro version is build above the free version - uses it as the core.
You should to update to Pro version 4.24.5 ASAP to fix the noted vulnerability.

mark April 4, 2016 at 11:18 pm • Reply

Thanks for letting us know Vladimir.

Doc April 5, 2016 at 3:11 pm • Reply

Guess I have some updating to do! Thanks Vladmir.

Marcin April 4, 2016 at 1:07 pm • Reply

Thank you for the information. We've update to 4.25

Keep the good work!

kartonim April 4, 2016 at 1:32 pm • Reply

Great post - as usual.
Thank you!

Fredrik Andersson April 4, 2016 at 1:35 pm • Reply

Have it on 20+ wp sites and found out this by your email. Outstanding service you provide, both in plugin and this blog! BIG thanks!

Vladimir April 4, 2016 at 6:21 pm • Reply

Thanks for the making this important information available to the wider auditory.

cliffatgoodlandllc April 4, 2016 at 6:43 pm • Reply

Thanks for the information on the User Role Editor. Great to know Wordfence is on top of security!

Johan Russel April 4, 2016 at 9:18 pm • Reply

Thanks for the alert. This could be a big nightmare. Wordfence is the best security plugin for sure. Great work guys!

Sandra April 5, 2016 at 5:15 am • Reply

Thanks for sharing this invaluable post. I had quite a few brute force attempts last week it was unbelievable. Your work is so important to legitimate business owners who are trying to make a living. Stay blessed and keep up the good work.

Judith November 23, 2016 at 5:43 am • Reply

Could it be that this vulnerability reappeared somehow in version 4.29? We've experience unauthorised activity through our wp-admin recently and because this plug-in deals with user rights I suspected this could be the cause. (page 404 was altered, replaced by a file upload form + posts where added.

retriever November 24, 2016 at 4:57 am • Reply

my issue was a different one after all, so my comment can be deleted.

Leave a Reply

Get the latest WordPress security updates and news

Sign up for WordPress security alerts, Wordfence product updates and security news via email.