Big security flaw when used with bbpress

Hi etellewyn,

I think there needs to be a check in this plugin that only lets this function run for admins.

This is, of course, the case. It’s not possible to switch to a user unless the current user has the ability to edit the user that they are viewing. From the FAQ:

A user needs the edit_users capability in order to switch user accounts. By default only Administrators have this capability, and with Multisite enabled only Super Admins have this capability.

User Switching has automated unit testing in place to ensure this remains the case, and I’ve tested this functionality this morning on my test sites and cannot reproduce the issue.

It sounds like there is an issue with your particular site which means regular users have been given the ability to edit other users. Do you have a role or capability management plugin installed? If so, you might want to check what capabilities you’ve assigned to other roles and users.

Another issue could be that your site is caching requests for logged in users, which means that a logged in user with the ability to edit users has previously viewed that page and it’s erroneously been cached and then subsequently served to the user who reported seeing the link.

In this case, your caching is misconfigured. Visits by logged in users should never be cached. It could be that your site includes some sort of fragment caching, or whole page caching.

Ah yes that answers it. The user that was able to do this is a ‘director’ which is a custom role that we have set up, which does have the ability to edit users. Looks like we’ll need to change the way we do things or stop using this plugin. Good to know that at least it’s limited to Directors and that not all subscribers can do it!
Thanks so much for the prompt reply.