Editors or contributors are given admin-level access or dangerous permissions.
Users with Excessive Capabilities
Key Points: A contributor with admin access is a time bomb. Always audit roles.
You give an editor just a bit too much power… and suddenly your plugin settings, backups, or users are changed. WordPress roles are flexible — and dangerous in the wrong hands.
🔓 Risks
- Misconfigured or custom roles without review
- Plugins that grant editor access to sensitive menus
- Third-party integrations creating admin users automatically
🛠️ Safety Checks
- Use a role editor plugin to audit and trim capabilities
- Remove old or suspicious users regularly
- Restrict plugin access by role using filters or plugins
🧠 Rule
If someone doesn’t need to change settings — they shouldn’t be able to. Least privilege always wins.