InSite Dasboard menu visible to non-admin users (Subscribers)

  • Resolved hughankers

    (@hughankers)


    8 years, 8 months ago

    I love the InSite plugin, but there seems to be a major security issue.
    I have a WordPress site set up as a social network with BuddyPress. I’ve just noticed that site members, logged in as subscriber level users, with no admin access, can still see the InSite menu on their dashboard and can also create new InSites, add them to my site and also edit/delete existing ones.

    As this can seriously affect the appearance of my site and make it vulnerable to hackers who could add custom javascript InSites, I’ve had to deactivate the plugin and I won’t be using it again until there is some way to remove the InSite menu from all non-admin level users’ dashboard menus.

    I’ve read the FAQs on the insite.io website and I can’t find any information about how to hide the menu.

    Is this just how it’s supposed to work, or have I just not been able to find the correct settings option?

    https://www.ads-software.com/plugins/insite-for-wp-personalization-made-easy/

Viewing 2 replies - 1 through 2 (of 2 total)

  • Thanks for the feedback. I’m escalating this issue to the product department.

    Thread Starter hughankers

    (@hughankers)

    Thanks yoha_duda. Since posting my comment, I’ve discovered a workaround for this issue in the form of another plugin Remove Dashboard Access It’s been recently updated and allows me to re-activate InSite without having to worry about my BuddyPress members messing around with the settings.

    On that basis I’m going to mark this issue resolved (at least as far as I’m concerned) Although this workaround won’t work for owners of non-BuddyPress sites, who may need to allow dashboard access for users to edit their profile information.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘InSite Dasboard menu visible to non-admin users (Subscribers)’ is closed to new replies.

Tags