Does the “promote_users” capability allow someone to create a new admin account?

Yes, if you assign ‘promote_users’ to another user, that user could promote non-site admins to site admin.

https://codex.wordpress.org/Roles_and_Capabilities#promote_users

Related Posts:

  1. What action should I hook into when adding roles and capabilities?
  2. What’s the difference between Role and Meta capabilities; When to use map_meta_cap() filter
  3. Disable posts, only allow to edit existing pages, not create new ones (create_posts)
  4. How to get all capabilities of an existing user role
  5. Add Media Upload Capabilities Needed for Custom Role for non-Posts
  6. How can I prevent a writer from being able to edit an article that has been scheduled?
  7. Check whether user can delete a given post
  8. Allow unfiltered HTML in titles for low level users?
  9. Allow users to set a post author
  10. Unify the roles and caps?
  11. Filter list of rules based on a capability
  12. Using author_can() on custom post types in WordPress
  13. How to show a admin bar menu item only to users with certain capabilities?
  14. Theme option editing capability problems
  15. Assign multiple roles , overlapping capabilities
  16. WordPress remove capability post ,media completely for custom role
  17. Add capability to a role , so user is only able to view his own posts
  18. Is there a way of retrieving the core WP capabilities?
  19. Best Roles and Capability on a site with review features using a front end custom post
  20. Manage Roles and Capabilities on Multi-site
  21. How to create a clone role in wordpress
  22. Select subscriber as author of post in admin panel?
  23. How do I make a draft post accessible to everyone?
  24. User-edit role setting distinct from wp_capabilities? [closed]
  25. Allow roles below admin to add subscribers only
  26. Disallowing Users of a Custom Role from Deleting or Adding Administrators?
  27. Add Custom User Capabilities Before or After the Custom User Role has Been Added?
  28. How can I grant capabilities directly to users (not roles) in wp-admin?
  29. How to update user role without logout
  30. What exactly is WordPress?
  31. WordPress Capabilities: edit_user vs edit_users
  32. Allow authors to edit only certain users
  33. Do not allow users to create new posts and pages
  34. Roles & capabilities GUI that does not create separate table
  35. Role that can edit only widgets, not other theme options
  36. How to programmatically add a user to a role?
  37. how to add custom user capabilities using add_user_meta or something else?
  38. How to restrict specific post types from being read or added by specific user roles (eg. author)?
  39. Allow users to publish child pages of the pages they have access to edit
  40. How do I code access to the built-in UI of a CPT when it’s placed as submenu of another CPT that is protected by role?
  41. How to get all users with Author role capabilities?
  42. How to allow “Add New” capability of CPT when links to its UI are placed as a submenu?
  43. How to check if a role has a specific capability
  44. Locking Down WordPress Application Password Permissions / Capabilities
  45. Custom Role can’t trash Custom Post Type
  46. Multiple Authors on Single Post
  47. Why do comment moderators need to have all create/edit/delete toboth posts and pages?
  48. How can I restore admin capabilities?
  49. current_user_can Not Always Working Properly
  50. What determines whether admin toolbar is shown to a logged-in user?
  51. Update User Role
  52. Prevent Editors from Editing/Deleting Admin Accounts
  53. Are User Levels Still Currently Used?
  54. Restricted user capabilities cannot add image
  55. Pending status by default for a specific role
  56. Is there a capability for managing plugin options?
  57. How do you set up a WordPress blog with multiple authors to allow something like StackExchange’s “community wiki” feature?
  58. How do I restrict user access to plugins?
  59. Allow Contributor to edit published post and filter by page id
  60. Applying roles to an admin sub-menu (eg Appearance -> Menus)
  61. Remove Capabilities from WP admin for specific user role
  62. Logout users upon login, based on caps/role?
  63. Show metabox for a special role
  64. Restrict Access to Posts based on Custom User and Post Meta Data
  65. upload_files cap to not loggen in users – add_cap to not logged in users
  66. Role capability issue
  67. Disable user from updating certain posts
  68. Custom capabilities to add, edit, remove users of a particular role only?
  69. Restricting Pages based on Hierarchy and User Role
  70. Allow user to only access custom post type
  71. add_role user capability not working
  72. Restrict Capability of Administrator to Create, Edit and Delete Pages in Multisite
  73. Is it wise not to use only meta capabilities for certain basic post types?
  74. How can I promote a user to a network administrator?
  75. How to add custom JavaScript in functions?
  76. What capabilities are assigned to unauthenticated users?
  77. Capabilities Not Changing
  78. Menu page with minimum capability as ‘Subscriber’ doesn’t allow ‘Admin’ to access it?
  79. Role capabilities issue
  80. Want to know parameters that can be passed to user_can() for access control by user capabilities
  81. The Capability to choose post/page template
  82. Create sub-administrator role that can do everything except use or see the code editor
  83. Assigning multiple or additional capabilities to specific users or how to create additional roles like bbpress roles?
  84. How To Create A File Archive in WordPress?
  85. User role editor – Add download files capability
  86. How to fix the Post Preview Button (CPT & map_meta_cap)
  87. Restrict Custom Post Type per role in Dashboard
  88. Restrict access to custom post type based on its taxonomy terms
  89. Allow contributor user role to perform copy operation PHP
  90. Remove dashboard links from wordpress
  91. Enable plugins for a specific user role
  92. How can I create multiple different admin roles with their own capabilities
  93. Groups roles & capabilities
  94. How can I remove “Add new” button on custom post type
  95. Why does user_can return false for a capability during plugin deactivation?
  96. Capabilities and mapping required for a role to be able to edit other’s posts of a custom type, BUT only be able to edit their own blog posts
  97. Disable `create_post` for built-in post type
  98. Weird capabilities / roles behavior
  99. Subscriber role – blank page
  100. edit slider plugin capability for custom_role

Leave a Comment

techhipbettruvabetnorabahisbahis forumutaraftarium24eduedusedusedusedusedusedusedueduedus