Security issue: No permission control – Any user can replace any file

  • This plugin allows any user to replace media owned by any other user. This should not be allowed, and only the admin should have these abilities. By default, a user should only be allowed to modify their own files.

    It should be fairly simple to update this plugin so that a user can only modify the media files they own, unless they’re an admin (current_user_can( 'manage_options' )) in which case they should be able to modify all media.

    https://www.ads-software.com/plugins/enable-media-replace/

Viewing 3 replies - 1 through 3 (of 3 total)
  • Thread Starter b-rad

    (@b-rad)

    Does the author have any intent to close this security hole?

    Thread Starter b-rad

    (@b-rad)

    Shame. I was hoping to see the plugin owner update this plugin so that this security hole was fixed but it seems to have been ignored. I hope no one in a production environment is using this.

    I am using it currently in production.
    As only one user can edit the site, so there aren’t security issues?
    What about guest level users?

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Security issue: No permission control – Any user can replace any file’ is closed to new replies.