Enabling SlickQuiz on latest WP allows all users full admin access.

  • WARNING! This plugin has a major, major bug that leads to a huge security breach.

    Not sure if it’s a known issue or some terrifying collision between WP plugins but I recently got help getting a quiz up and running which was great.

    What wasn’t great was that suddenly we started seeing spam posts appearing on our website, we spent almost a day thinking it was users hacking into the system somehow that we were missing. After a lot of debugging and then creating a new subscriber only account we realized something even more terrifying. Subscribers were getting full admin access to the website if they went to /wp-admin/ while logged in.

    It didn’t make sense but the only plugin I installed recently was this, as soon as I disabled the plugin user levels were correct and subscribers could no longer get full admin access to the /wp-admin/ area.

    Is this a known issue with 4.2.2 or something else entirely?

    https://www.ads-software.com/plugins/slickquiz/

Viewing 1 replies (of 1 total)
  • Plugin Author jewlofthelotus

    (@jewlofthelotus)

    Hi @jamieh2o – sorry to hear that you’ve experienced this.

    As far as I know, this is not an issue with SlickQuiz. I just tried to duplicate this on 2 separate WordPress 4.2.2+SlickQuiz 1.3.7.1 instances and was unable to access restricted admin content via a logged in subscriber account.

    I really can’t say why you would have seen that on your setup. I suppose there could have been some magical combination of plugin code, but it’s hard to say anything one way or the other without digging into the details of your setup more.

Viewing 1 replies (of 1 total)
  • The topic ‘Enabling SlickQuiz on latest WP allows all users full admin access.’ is closed to new replies.