Open shawfactor opened 1 year ago
The capability checked for by the plugin is activate_plugins
, see https://github.com/WordPress/plugin-check/blob/6b28da3c600c7658388272fef5085f1e87827a82/includes/Admin/Admin_Page.php#L67 and https://github.com/WordPress/plugin-check/blob/6b28da3c600c7658388272fef5085f1e87827a82/includes/Admin/Admin_Page.php#L186-L192
@swissspidy, the ticket is open against the legacy plugin. You can find it here: https://github.com/WordPress/plugin-check/blob/legacy-plugin/admin/admin.php#L17-L19.
Well in that case I suppose we can close the issue, given that it doesn't exist in the new version.
The plugin in the .org repository uses manage_options and I was told to come here to raise a ticket to fix that…
In any case activate_plugins is the wrong capability to check against. Logically it should be a capability only super admins have on multisite like install_plugins. Otherwise there is a minor security risk
I would suggest a more capability check for this plugin would be install_plugins rather than manage_options. What do you think?
I suggest this as when it is run on a multisite, ordinary site admins have manage_options but cannot change the plugin anyway. In fact this could be a minor security vector by displaying the code that is being run on the site inappropriately