Vulnerability in User Role Editor – Users Can Become Admins

There is a major vulnerability in a popular plugin with over 300,000 active installs: User Role Editor 4.24 and older.

The vulnerability allows any registered user to gain administrator access. For sites that have open registration, this is a serious security hole.

If you are running User Role Editor, upgrade to the newest version which is 4.25 immediately.

Looking at a diff of the newest plugin release, the author was checking if users have access to edit another user using the ‘current_user_can’ function and checking for the ‘edit_user’ (without an ‘s’ on the end) capability on a specific user ID. The green code below was added.

Screen Shot 2016-04-04 at 9.58.02 AM

A user can edit themselves, and so sending data to the plugin that supplies the current user’s ID to this access check would bypass the check.

The fix released in version 4.25 (new code shown in green above) checks if the current user has the ‘edit_users’ capability which is a general access check that would fix this vulnerability.

The edit_user check that was being used is undocumented on the Roles wiki page, but it is used by WordPress core (in a secure way). So if you are using this check in your plugins, it is important to realize that it can be bypassed if used as a general access level check.

As always, please make sure that the rest of your plugins are at the newest version because we have seen several, less impactful vulnerabilities emerge during the past month.

Regards,

The Wordfence Team.

Did you enjoy this post? Share it!

Comments

20 Comments
  • Thanks for sharing this post and luckily I didn't use this but your work is excellent.

  • Frightening vulnerability, Wordfence Team. I've noticed certain plugins having frequent updates of late and many of them are to fix bugs but the thought that we can invite vulnerability to our website is a major concern.

  • Thanks!

  • Thanks for keeping all of us informed. Invaluable service!

  • Thanks for the Update You guys are doing a marvellous job
    Thanks again.
    Terence

  • Thanks for the heads up on this vulnerability and for creating and maintaining such a fantastic WordPress security plugin!

  • Hello and thanks for the alert,

    I just upgraded my plugin "User Role Editor" after receiving your message, thanks a lot!

    Keep up the good work, you have no idea how you saved my website after getting hacked, your plugin found all the c99 and trojans on the plugins folder...

    Again, I can not thank you enough.

  • Does this vulnerability apply to the Pro version of the plugin as well?

    • Yes, it was applied to the Pro version too.
      Pro version is build above the free version - uses it as the core.
      You should to update to Pro version 4.24.5 ASAP to fix the noted vulnerability.

      • Thanks for letting us know Vladimir.

      • Guess I have some updating to do! Thanks Vladmir.

  • Thank you for the information. We've update to 4.25

    Keep the good work!

  • Great post - as usual.
    Thank you!

  • Have it on 20+ wp sites and found out this by your email. Outstanding service you provide, both in plugin and this blog! BIG thanks!

  • Thanks for the making this important information available to the wider auditory.

  • Thanks for the information on the User Role Editor. Great to know Wordfence is on top of security!

  • Thanks for the alert. This could be a big nightmare. Wordfence is the best security plugin for sure. Great work guys!

  • Thanks for sharing this invaluable post. I had quite a few brute force attempts last week it was unbelievable. Your work is so important to legitimate business owners who are trying to make a living. Stay blessed and keep up the good work.

  • Could it be that this vulnerability reappeared somehow in version 4.29? We've experience unauthorised activity through our wp-admin recently and because this plug-in deals with user rights I suspected this could be the cause. (page 404 was altered, replaced by a file upload form + posts where added.

    • my issue was a different one after all, so my comment can be deleted.