Serious Security Issues

Hello, I am the plugin author. There seems to be some confusion here. Allow me to explain how it works:

“Warning Serious Security Issue”

There is no security issue whatsoever. User Submitted Posts is trusted by 20,000+ WordPress-powered sites. It is updated regularly and always has been secure.

“a malicious user can not only view every image or document in your media library, but they are also able to alter and delete any amount of your content data.”

Yes, that is how WordPress works. If a user has proper permissions, they are allowed to add/edit/delete content and files. No different when approached from the front-end.

“I received only a dismissive and unconcerned response from the Plugin Author.”

Not sure what the issue is here, I responded to this support request within 24 hours and was completely helpful and polite. Because I care about my users. Here is the support thread so you can read for yourself:

https://www.ads-software.com/support/topic/media-library-access-to-logged-in-users

“My advice would be to avoid this plugin.”

Thanks for the feedback. Fortunately, a majority of users disagree with you. Check the reviews. Most are 5 star with positive experiences.

I’m sorry that the plugin was not what you were looking for, but just because a freely developed and supported plugin lacks a specific feature is no reason to post false/negative comments. Check my history, I bend over backward to help my users, but apparently it’s impossible to please everyone.

Jeff, Your plugin allows any user to access the entire media library of images and documents etc uploaded by the admin or indeed anyone else.

The user can the browse and even delete any or all of these images etc due to the permissions allowed by your plugin.

Other front end publishing plugins do not allow the user this level of access and restrict media library access, allowing each user to only view upload and edit their own individual files only.

You keep saying that this is the way WordPress works, yet with a little extra programming this Security issue can be avoided and yes it is a serious security issue when someone can delete all the images off your site if they so please.

Other Frontend publishing programmes restrict access but for some reason yours does not and you would rather kick and scream saying its the way worpress works instead of doing something about it.

I agree with other users that your plugin is excellent and easy to use but the media access problem is an issue yet you do not like it when someone raises this as a problem.

Check out this plugin that restricts access which does work in tandem with your plugin. https://www.ads-software.com/plugins/wp-users-media/

I’m sorry if you think I’m wrong raising this issue. My intention is not to offend you but to simply state what I believe is a serious flaw that needs addressing.
It’s up to you if you want to ignore the issue.

Regards
Studio500

I see there remains much confusion, so I will attempt to break it down into small steps:

1) In the WP Admin Area, only users who have proper permissions are allowed to access the Media Library. By default, this means that the user must be an Author, Editor, or Admin in order to access the Media Library. Subscribers and Contributors, by default, do not have access.

This native WP functionality is by design and ensures that only trusted users with sufficient capabilities are able to access the Media Library.

2) On the front-end, USP uses this native WP functionality to keep things nice and simple:

– Users who are not logged in to WP will not have access to the Media Library
– Logged in Subscribers and Contributors will not have access to the Media Library
– Logged in Authors, Editors, and Admins will have access to the Media Library

So as explained previously, USP works exactly like WP in this regard. Whether or not a user has access to the Media Library depends entirely on their user role (i.e., capabilities).

So if you are registering all of your users as Authors or better, then yeah they are going to have access to the Media Library on the front-end, just as they do when using the Admin Area. And conversely, if you are registering users as Contributors or Subscribers, then they are NOT going to have access to the Media Library. It works exactly like WordPress, regardless of using front-end via USP or backend via the Admin Area.

I hope this makes sense. I’ve tried to explain it as clearly as possible. But I also understand that WordPress is sort of advanced and can be confusing to some people.

Some further points:

– Even if you are registering users as Authors or better, you can disable access to the Media Library at any time by disabling the setting, “Enable Rich Text Editor”. This is an added feature of USP to help folks such as yourself who may not want to give Authors, Editors, and Admins access to the Media Library on the front-end (even though WP still grants them access to the Media Library in the Admin Area).

– If you really felt that this feature of USP was a “serious security issue” (which it is not), why on earth would you post about it publicly and put thousands of sites at risk? And in the “Reviews” section, to boot? Your behavior is not only extremely disrespectful, it goes against official WordPress guidelines:

https://make.www.ads-software.com/core/handbook/testing/reporting-security-vulnerabilities/

I suggest that you take a moment and educate yourself regarding responsible disclosure of suspected security vulnerabilities. And in the future, instead of posting your thoughts publicly, show some respect and concern for others in the WP community and reach out first to the developers, in private, and give them a chance to resolve the issue.