user with role editor can delete or edit admin accounts

I cannot reproduce that on a clean (no plugins, twentytwenty theme) WP site.

How are you able to see users when logged in as an editor?

In the user section of the wp-admin.
The users have the role editor.
When making a test user with this role I can logon with that user and delete an admin user.

Do you have any user-related plugins or have you customized the editor role? When I’m logged in as an editor, I cannot see/edit other users.

I just tested with a local install.
I also was not able to do this there.
Not even the menu users was available now to me.
It feels like the official site is might corrupted and that this is not a normal bug. Might being hacked?

Is there any other place in WordPress or the installation where a role or user can elevate its rights?

There are plugins that can do that. It’s possible it was hacked. Have you scanned with a plugin like WordFence?

Reset capabilities to defaults using

What we’ve noticed is that when coming from search in google. the site (first time calling it from search results) opens a advertisement (jippykajee, I seem to have won an iPhone 🙁 )

So it seems the website is infected with the search engine hack I’ve read somewhere about. And that does not surprise me as I noticed the website was way back on security patches.

I will try your suggestion and update this topic asap. thanks.thanks so far.

Activated the plugin which resetted roles and rights. The situation now seems as should be expected. Thanks very much for your help.

Source link