[wp-trac] [WordPress Trac] #43936: Settings: Warn when open registration and new user default is privileged
WordPress Trac
noreply at wordpress.org
Fri Feb 20 02:25:16 UTC 2026
#43936: Settings: Warn when open registration and new user default is privileged
-------------------------------------------------+-------------------------
Reporter: kraftbj | Owner: audrasjb
Type: feature request | Status: closed
Priority: normal | Milestone: 7.0
Component: Security | Version:
Severity: normal | Resolution: fixed
Keywords: needs-user-docs early 2nd-opinion | Focuses:
needs-test-info has-patch | administration
-------------------------------------------------+-------------------------
Comment (by dd32):
Replying to [comment:51 audrasjb]:
> As said above by multiple commenters, I don't think it is much of an
issue, since installations where Administrator is the default role are
very rare use cases. I think we can go with the implementation proposed in
PR5893.
Just to clarify the earlier discussions related to validating the
settings; [61687] does help prevent a user accidentally setting themselves
up to fail. But it doesn't attempt to solve the most common (IMHO) reason
it ends up in that state: **Vulnerabilities in plugin/themes that allow
setting arbitrary options**.
[61687] won't protect a user at all against a vulnerability that allows an
attacker to set an option (enable registrations + default role), then
register a new user, then install malicious code. Equally, it won't
prevent a user from doing that via options.php manually.
I'd be happy to leave this as-is, and re-open #46744 for that approach if
you feel strongly @audrasjb
--
Ticket URL: <https://core.trac.wordpress.org/ticket/43936#comment:87>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list