Skip to content

Focus role-capabilities-check on privilege escalation#183

Closed
tomepajk wants to merge 1 commit intodevfrom
fix/role-escalation-fix
Closed

Focus role-capabilities-check on privilege escalation#183
tomepajk wants to merge 1 commit intodevfrom
fix/role-escalation-fix

Conversation

@tomepajk
Copy link
Copy Markdown
Collaborator

@tomepajk tomepajk commented Mar 22, 2026
edited
Loading

Summary

  • Simplify role-capabilities-check to only detect added capabilities on default WordPress roles (privilege escalation)
  • Remove detection of removed capabilities and extra/non-default roles
  • Add subscriber privilege escalation step (manage_options) to simulate-hack.sh

Changes

includes/abilities/security/role-capabilities-check.php

  • Removed tracking of removed capabilities and extra_roles (non-default roles) detection
  • Simplified wp_agentic_admin_execute_role_capabilities_check() to only flag roles with added capabilities beyond WordPress defaults
  • Updated role status from modified to escalated for flagged roles
  • Simplified wp_agentic_admin_calculate_role_risk() — removed $removed parameter and the early-return for removal-only cases
  • Updated output schema — removed extra_roles field, updated descriptions to reflect escalation focus
  • Updated messages to clearly communicate privilege escalation detection

simulate-hack.sh

  • Added Step 3: escalate the subscriber role by adding manage_options capability via wp cap add
  • Creates a test subscriber user if none exists
  • Renumbered Steps 4–5 and updated the summary output

Test plan

  • Run bash simulate-hack.sh to plant the subscriber escalation
  • Trigger the role-capabilities-check ability and verify it flags the subscriber role with risk score 9.0
  • Verify roles with only removed capabilities show as default (not flagged)
  • Run composer lint to confirm PHP passes WPCS

🤖 Generated with Claude Code

@tomepajk @claude
feat: focus role-capabilities-check on privilege escalation only
be54695 
Simplify the role capabilities checker to only detect added capabilities
on default WordPress roles (privilege escalation). Remove detection of
removed capabilities and extra/non-default roles. Add subscriber
escalation step to simulate-hack.sh for testing.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@pluginslab pluginslab mentioned this pull request Mar 27, 2026
Open
@pluginslab
Copy link
Copy Markdown
Owner

pluginslab commented Mar 27, 2026

Closing this for now. The PHP changes look reasonable, but the JS files (role-capabilities-check.js and check-if-hacked.js) were not updated to match the new schema, which silently breaks the ability. interpretResult filters on "modified" while PHP now returns "escalated", and several removed fields (extra_roles, role.removed) are still referenced.

Created #188 to track the full scope of changes needed. The extra_roles removal also warrants a broader discussion about detection coverage.

Thanks for the contribution, this is a valuable direction, it just needs more attention on the JS side before merging.

@pluginslab pluginslab closed this Mar 27, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tomepajk @pluginslab