WP-Safety

User Roles and Capabilities Security & Risk Analysis

wordpress.org/plugins/user-roles-and-capabilities

Manage user roles and Capabilities, create new roles and change default role.

8K active installs v1.2.6 PHP + WP 3.5+ Updated May 9, 2021
roles-and-capabilitiesuser-capabilitiesuser-roleswordpress-capabilitieswordpress-user-roles
63
C · Use Caution
CVEs total1
Unpatched1
Last CVEJun 19, 2025
Plugin page Download
Safety Verdict

Is User Roles and Capabilities Safe to Use in 2026?

Use With Caution

Score 63/100

User Roles and Capabilities has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

1 known CVE 1 unpatched Last CVE: Jun 19, 2025Updated 5yr ago
Risk Assessment

The user-roles-and-capabilities plugin v1.2.6 presents a mixed security posture. While it demonstrates good practices such as using prepared statements for all SQL queries and incorporating a reasonable number of nonce and capability checks, significant concerns arise from the attack surface and output sanitization. The presence of an unprotected AJAX handler is a critical vulnerability, providing an easy entry point for attackers. Furthermore, a very low percentage of properly escaped output indicates a high risk of Cross-Site Scripting (XSS) vulnerabilities, allowing malicious scripts to be injected and executed in users' browsers.

The vulnerability history, with a known medium-severity CVE that is currently unpatched, directly aligns with the identified weakness of missing authorization, as indicated by the "Missing Authorization" common vulnerability type. This suggests a recurring pattern of insufficient access control checks. The taint analysis shows no critical or high severity flows, which is a positive sign, but it's overshadowed by the high number of easily exploitable weaknesses in the attack surface and output handling.

In conclusion, while the plugin has some foundational security strengths, the unprotected AJAX handler and widespread unescaped output are serious flaws that significantly increase the risk of compromise. The unpatched medium-severity vulnerability exacerbates these concerns. Addressing the unprotected AJAX endpoint and implementing robust output escaping should be immediate priorities for the plugin developers.

Key Concerns

  • Unprotected AJAX handler found
  • Low percentage of properly escaped output
  • Currently unpatched medium severity CVE
  • Use of unserialize function
Vulnerabilities
1 published

User Roles and Capabilities Security Vulnerabilities

CVEs by Year

1 CVE in 2025 · unpatched
2025
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2025-49981medium · 4.3Missing Authorization

User Roles and Capabilities <= 1.2.6 - Missing Authorization

Jun 19, 2025Unpatched
Version History

User Roles and Capabilities Release Timeline

v10001 CVE
CVE-2025-49981
v1.2.6Current1 CVE
CVE-2025-49981
v1.2.51 CVE
CVE-2025-49981
v1.2.41 CVE
CVE-2025-49981
v1.2.31 CVE
CVE-2025-49981
v1.2.21 CVE
CVE-2025-49981
v1.2.11 CVE
CVE-2025-49981
v1.2.01 CVE
CVE-2025-49981
v1.1.11 CVE
CVE-2025-49981
v1.11 CVE
CVE-2025-49981
v1.01 CVE
CVE-2025-49981
Code Analysis
Analyzed Mar 16, 2026

User Roles and Capabilities Code Analysis

Dangerous Functions
1
Raw SQL Queries
0
0 prepared
Unescaped Output
65
3 escaped
Nonce Checks
10
Capability Checks
24
File Operations
1
External Requests
0
Bundled Libraries
0

Dangerous Functions Found

unserializereturn unserialize(get_option('solvease_wp_rc_caps'));includes\class-solvease-wp-roles-capabilities_cap_functionality.php:690

Output Escaping

4% escaped68 total outputs
Data Flows · Security
All sanitized

Data Flow Analysis

3 flows
solvease_roles_capabilities_change_default_role (includes\class-solvease-wp-roles-capabilities_cap_functionality.php:463)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

User Roles and Capabilities Attack Surface

Entry Points1
Unprotected1

AJAX Handlers 1

authwp_ajax_export_role_capincludes\class-solvease-wp-roles-admin.php:57
WordPress Hooks 5
actionadmin_enqueue_scriptsincludes\class-solvease-wp-roles-admin.php:51
actionadmin_enqueue_scriptsincludes\class-solvease-wp-roles-admin.php:54
actionadmin_menuincludes\class-solvease-wp-roles-capabilities.php:53
filteruser_row_actionsincludes\class-solvease-wp-roles-capabilities.php:54
actionplugins_loadedincludes\class-solvease-wp-roles-capabilities.php:55
Maintenance & Trust

User Roles and Capabilities Maintenance & Trust

Maintenance Signals

WordPress version tested5.7.15
Last updatedMay 9, 2021
PHP min version
Downloads126K

Community Trust

Rating96/100
Number of ratings21
Active installs8K
Alternatives

User Roles and Capabilities Alternatives

WP Hide Admin Bar

WP Hide Admin Bar

wp-hide-adminbar

A
85

This plugin will help to hide admin-bar based on selected user roles and user capabilities.

200 No CVEs
WP247 Body Classes

WP247 Body Classes

wp247-body-classes

A
92

Add unique classes to the body tag for easy styling based on various attributes (archive, user, post, mobile, scrolling) and WordPress "is" &hellip;

200 No CVEs
Editorial Access Manager

Editorial Access Manager

editorial-access-manager

A
85

Allow for granular editorial access control for all post types in WordPress

80 No CVEs
Advanced Access Manager – Access Governance for WordPress

Advanced Access Manager – Access Governance for WordPress

advanced-access-manager

A
95

Access Governance for WordPress. Control roles, users, content, admin areas, and APIs to prevent broken access controls and excessive privileges.

100K 11 CVEs
PublishPress Capabilities – User Role Editor, Access Permissions, User Capabilities, Admin Menus

PublishPress Capabilities – User Role Editor, Access Permissions, User Capabilities, Admin Menus

capability-manager-enhanced

A
86

PublishPress Capabilities is the access control plugin. You can manage user capabilities, permissions, user roles, admin menus and more.

100K 5 CVEs
Developer Profile

User Roles and Capabilities Developer Profile

mahabub81

1 plugin · 8K total installs

68
trust score
Avg Security Score
63/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect User Roles and Capabilities

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/user-roles-and-capabilities/includes/templates/user-caps-role.tpl.php/wp-content/plugins/user-roles-and-capabilities/includes/class-solvease-wp-roles-capabilities-table.php
Script Paths
/wp-content/plugins/user-roles-and-capabilities/assets/js/custom.js/wp-content/plugins/user-roles-and-capabilities/assets/js/validator.js/wp-content/plugins/user-roles-and-capabilities/assets/js/sticky.js/wp-content/plugins/user-roles-and-capabilities/assets/js/bootstrap.js/wp-content/plugins/user-roles-and-capabilities/assets/js/uniform.js
Version Parameters
user-roles-and-capabilities/assets/js/custom.js?ver=user-roles-and-capabilities/assets/js/validator.js?ver=user-roles-and-capabilities/assets/js/sticky.js?ver=user-roles-and-capabilities/assets/js/bootstrap.js?ver=user-roles-and-capabilities/assets/js/uniform.js?ver=user-roles-and-capabilities/assets/css/custom.css?ver=user-roles-and-capabilities/assets/css/bootstrap.css?ver=user-roles-and-capabilities/assets/css/font-awesome.css?ver=user-roles-and-capabilities/assets/css/u?ver=

HTML / DOM Fingerprints

CSS Classes
solvease-roles-capabilities-table
Data Attributes
data-solvease-rnc-user-id
JS Globals
Solvease_Roles_CapabilitiesSolvease_Roles_Capabilities_ActivatorSolvease_Roles_Capabilities_DeactivatorSolvease_Roles_Capabilities_TableSolvease_Roles_Capabilities_Functionality
FAQ

Frequently Asked Questions about User Roles and Capabilities