Open champsupertramp opened 4 years ago
nikitasinelnikov
commented
4 years ago Hi @champsupertramp
It's not a problem to return this ability by a hook. But do the customers know that they open a security hole on their websites in this case? https://www.wordfence.com/blog/2020/11/critical-privilege-escalation-vulnerabilities-affect-100k-sites-using-ultimate-member-plugin/
The Editor role has the capabilities to view and edit the website content by default.
rteicheira
commented
3 years ago https://wordpress.org/support/topic/please-specify-account-type-error-on-profile-page/ is my report.
Here is the list of my Plugins:
rteicheira
commented
3 years ago Is there an update on this? I am forced to use v. 2.1.10 which leaves me vulnerable to the exploit above. I just tried updating to v. 2.1.15 in my staging environment and ran into the same issue.
Or is there a workaround I can use?
philkonick
commented
1 year ago I am trying to allow administrator to change user role from user's profile page. The radio / dropdown option appears correctly, and the page reacts to "Update Profile" as though the change is accepted, however the change is not processed and the role is not changed. Correction: it applies both roles that I have selected as options, so that if I view the users list in the WP backend, both roles are applied. Setting a role priority causes the role with higher priority to display. Trying to change the role again does not remove one of the roles, it appears that the role that is selected from the radio / dropdown is added to the user's roles, and selecting another option does not remove the others.
Is this the same issue?
todddown
commented
1 year ago I am trying to allow administrator to change user role from user's profile page. The radio / dropdown option appears correctly, and the page reacts to "Update Profile" as though the change is accepted, ~however the change is not processed and the role is not changed.~ Correction: it applies both roles that I have selected as options, so that if I view the users list in the WP backend, both roles are applied. Setting a role priority causes the role with higher priority to display. Trying to change the role again does not remove one of the roles, it appears that the role that is selected from the radio / dropdown is added to the user's roles, and selecting another option does not remove the others.
Is this the same issue?
I'm facing exactly the same issue. I've contacted Ultimate Member support and run a theme/plugin conflict test, however even with all but Ultimate Member plugins disabled I'll still get the same multiple role/not removing old role issue. Did you happen to find a cause or solution?
Expected behavior Show all roles in the Roles field.
Describe the bug Since 2.1.12, All roles doesn't show in the Roles field. This is due the security patch in the latest version.
Maybe we can do something about this issue with changing any roles on front-end form: https://wordpress.org/support/topic/bug-role-change-in-profile-form-by-administrator-2/ https://wordpress.org/support/topic/bug-role-change-in-profile-form-by-administrator/ https://wordpress.org/support/topic/help-me-role-select-not-working/ https://wordpress.org/support/topic/unable-to-manually-edit-um-role/ https://wordpress.org/support/topic/please-specify-account-type-error-on-profile-page/
The previous security patch disallows users to change some roles( including administrator, editor etc ) in front-end. I suggest adding a filter hook to allow them to show all roles at the developer's expense.
To Reproduce Steps to reproduce the behavior:
Do you use UM extensions?