Features or settings are available to users who shouldn’t access them.
Plugin Doesn’t Respect User Roles
Key Points: Plugins expose settings, features, or dashboard areas to unauthorized users.
Your contributor can now change sitewide SEO titles. Your editor sees settings they shouldn’t touch. The plugin didn’t check capabilities before showing its tools.
🔐 Risk Factors
- Improper use of
current_user_can() - Settings panels or widgets added without role filtering
- Shortcodes or frontend tools exposing admin functions
🛠️ Your Fix
- Check plugin code or request access control improvements
- Use a plugin like User Role Editor to restrict capabilities manually
- If necessary, hide UI elements using CSS or hooks
⚠️ Admin Note
Always test new plugins with non-admin accounts — you’ll be surprised what others can access by default.