Possible Security Risk in WordPress Plugin Groups

Description

How a WP user with user role editor and custom capability ‚groups_admin_groups‘ could gain almost admin level.

Test Environment

WordPress Version 3.9.3

WP Plugin Groups Version 1.4.12

Test Scenario

In a website project a WordPress User of a user role lower than admin (author, contributor, editor) should confirm user registrations and be able to group users with the WP Plugin Groups.

This is possible, if the user is granted the core capability ‚promote_users‚ (necessary as described in WP support)and the custom capabilities (coming with the groups plugin) ‚groups_access‚ and ‚groups_admin_groups

Without these two capabilities, it is not possible to

Security Risk: User can gain near Admin capabilities

Now the user with restricted capabilities is allowed to create a new group. While adding a new or editing an existing group the user can add capabilities to this group.

Creating a super group with all core capabilities

The capabilities are not restricted by the user role of the current user. It is possible to add ALL core capabilities (including create user, delete user, switch theme, delete them, and more) and all custom capabilities and even create new capabilities.

Adding all capabilities to group

Change group membership in profile

After adding all capabilities to a test group, the user could save this, access his own profile and make himself member of this test group. Save and reload and welcome the new almost admin with full system access. The only difference, that a member of this super group is not member of the user role Administrator, not able to list and dreate and delete other admins.

Edit user profile change group membership

If a user is given a role with restricted capabilities this might happen for some reason, but perhaps not intended is a scenario of a self-empowered user with almost admin rights


BUG FIX (QUICK):

FILE:/wp-content/plugins/groups/lib/core/constants.php

Add the following at around LINE 62::

/**

* @var string grants access to add and edit capabilities

*/

define( 'GROUPS_ADMINISTER_CAPABILITIES', 'groups_admin_groups_capabilities');



To define a new capability accessible through Plugin User Role Editor

And Groups Options (For Admins)


FILE: /wp-content/plugins/groups/lib/admin/groups-admin-capabilities.php

After:

function groups_admin_capabilities() {

global $wpdb;

$output = '';

$today = date( 'Y-m-d', time() );

if ( !current_user_can( GROUPS_ADMINISTER_GROUPS ) ) {

wp_die( __( 'Access denied.', GROUPS_PLUGIN_DOMAIN ) );

}

at around LINE 50 add the following:

if ( !current_user_can( GROUPS_ADMINISTER_CAPABILITIES ) ) {

wp_die( __( 'Access denied.', GROUPS_PLUGIN_DOMAIN ) );

}


FILE: /wp-content/plugins/groups/lib/admin/groups-admin-groups-edit.php

Check for (at around LINE 100:)

$capability_table = _groups_get_tablename( 'capability' );

and add

//START CAPABILITIES

if ( current_user_can( GROUPS_ADMINISTER_CAPABILITIES ) ) {


before

and close brackets at around LINE 139 after

$output .= Groups_UIE::render_select( '.select.capability' );

add line

}//END CAPABILITIES


FILE: /wp-content/plugins/groups/lib/admin/groups-admin-groups-add.php

Before the following Lines (at around LINE 90):

$output .= '<div class="field">';

$capability_table = _groups_get_tablename( "capability" );</div>

Insert:

//START CAPABILITIES

if ( current_user_can( GROUPS_ADMINISTER_CAPABILITIES ) ) {

and close brackets at around Line 117 after:

$output .= Groups_UIE::render_select( '.select.capability' );

$output .= '</div>';

with:

}//END CAPABILITIES


FILE: /wp-content/plugins/groups/lib/admin/groups-admin-options.php

At around Line 50 change:

$caps = array(

GROUPS_ACCESS_GROUPS => __( 'Access Groups', GROUPS_PLUGIN_DOMAIN ),

GROUPS_ADMINISTER_GROUPS => __( 'Administer Groups', GROUPS_PLUGIN_DOMAIN ),

GROUPS_ADMINISTER_OPTIONS => __( 'Administer Groups plugin options', GROUPS_PLUGIN_DOMAIN ),

);

To:

$caps = array(

GROUPS_ACCESS_GROUPS => __( 'Access Groups', GROUPS_PLUGIN_DOMAIN ),

GROUPS_ADMINISTER_GROUPS => __( 'Administer Groups', GROUPS_PLUGIN_DOMAIN ),

GROUPS_ADMINISTER_CAPABILITIES => __( 'Administer Groups Capabilities', GROUPS_PLUGIN_DOMAIN ),

GROUPS_ADMINISTER_OPTIONS => __( 'Administer Groups plugin options', GROUPS_PLUGIN_DOMAIN ),

);

As Admin (Or with the capability groups_administer_options) you could now acces the Groups->Options page and check the new capability GROUPS_ADMINISTER_CAPABILITIES for the User Role Administrator

Groups->Options

Dashboard Groups Options

User Role Editor

Dashboard Users User Role Editor Capabilities Overview

Bugfix (Only modified files)

Here you can download the modified files

Groups Plugin Bugfix (Only modified files)