Security Breach in Popular Plugin “User Role Editor” – User Can Become Admin

There is a major vulnerability in a popular plugin with over 300,000 active installs: User Role Editor 4.24 and older.

The vulnerability allows any registered user to gain administrator access. For sites that have open registration, this is a serious security hole.

If you are running User Role Editor, upgrade to the newest version which is 4.25 immediately.

Looking at a diff of the newest plugin release, the author was checking if users have access to edit another user using the ‘current_user_can’ function and checking for the ‘edit_user’ (without an ‘s’ on the end) capability on a specific user ID. The green code below was added.

Screen Shot 2016-04-04 at 9.58.02 AM

A user can edit themselves, and so sending data to the plugin that supplies the current user’s ID to this access check would bypass the check.

The fix released in version 4.25 (new code shown in green above) checks if the current user has the ‘edit_users’ capability which is a general access check that would fix this vulnerability.

The edit_user check that was being used is undocumented on the Roles wiki page, but it isused by WordPress core (in a secure way). So if you are using this check in your plugins, it is important to realize that it can be bypassed if used as a general access level check.

As always, please make sure that the rest of your plugins are at the newest version because we have seen several, less impactful vulnerabilities emerge during the past month.


The Wordfence Team.

via Vulnerability in User Role Editor – Users Can Become Admins – Wordfence


Table Coding for users | wordpress tips

Just what I have been looking for: handy hints for coding tables in WordPress!


via Table coding for users | wordpress tips

Let the Money Roll in with an Appointment Calendar Plugin

File this under “WordPress Hacks”

What if your clients could schedule their appointments themselves? An appointment calendar can improve your bottom line and make your life easier.

I found the perfect plugin that does just that. It took me weeks of research before I found the best plugin that doesn’t require off-site registration or monthly fees.

Screen Shot 2016-04-09 at 1.29.30 PM

It sends email confirmations to the client and to you, allows you to run any kind of business, and schedule anything from hotel rooms to hair salon appointments. It gives you access to Paypal and other gateways (the Pro version only), lets you schedule discounts, coupons, and extras. From the admin, you can manually book appointments or cancel them. You can set the calendar to instantly accept appointments or set it up in a two-step approval process.

This appointment plugin is very robust and quite beautiful. The only caveat is that it was designed by a non-native English language company, and the documentation is useless. There is no tutorial either, so I had to stumble my way through it until I understood how to set it up and use it.

Configuring this plugin is not for the faint of heart, so I recommend that you work with a professional. If you want me to install and configure this plugin for you on your WordPress site, let me know!

You can see the calendar in action when you book a session with me.