From 5c2fae42cc6d69221591ceb8d5bedac0c808ed21 Mon Sep 17 00:00:00 2001 From: Shail Mehta Date: Tue, 14 Oct 2025 22:01:00 +0530 Subject: [PATCH 1/6] Refresh Patch --- .../includes/class-wp-site-health.php | 40 +++++++++++++++++++ src/wp-admin/includes/template.php | 10 +++-- src/wp-admin/options-general.php | 22 +++++++++- 3 files changed, 68 insertions(+), 4 deletions(-) diff --git a/src/wp-admin/includes/class-wp-site-health.php b/src/wp-admin/includes/class-wp-site-health.php index 9e81dab853f57..42a9b9b8e55cc 100644 --- a/src/wp-admin/includes/class-wp-site-health.php +++ b/src/wp-admin/includes/class-wp-site-health.php @@ -1857,6 +1857,42 @@ public function get_test_available_updates_disk_space() { return $result; } + /** + * Tests if registration is open to everyone and the default role is privileged. + * + * @since 6.9.0 + * + * @return array The test results. + */ + public function get_test_insecure_registration() { + $users_can_register = get_option( 'users_can_register' ); + $default_role = get_option( 'default_role' ); + + $result = array( + 'label' => __( 'Open Registration with privileged default role' ), + 'status' => 'good', + 'badge' => array( + 'label' => __( 'Security' ), + 'color' => 'blue', + ), + 'description' => '

' . __( 'The combination of open registration setting and the default user role may lead to security issues.' ) . '

', + 'actions' => '', + 'test' => 'insecure_registration', + ); + + if ( $users_can_register && in_array( $default_role, array( 'editor', 'administrator' ), true ) ) { + $result['description'] = __( 'Registration is open to anyone, and the default role is set to a privileged role.' ); + $result['status'] = 'critical'; + $result['actions'] = sprintf( + '

%s

', + esc_url( admin_url( 'options-general.php' ) ), + __( 'Change these settings' ) + ); + } + + return $result; + } + /** * Tests if plugin and theme temporary backup directories are writable or can be created. * @@ -2818,6 +2854,10 @@ public static function get_tests() { 'label' => __( 'Autoloaded options' ), 'test' => 'autoloaded_options', ), + 'insecure_registration' => array( + 'label' => __( 'Open Registration with privileged default role' ), + 'test' => 'insecure_registration', + ), 'search_engine_visibility' => array( 'label' => __( 'Search Engine Visibility' ), 'test' => 'search_engine_visibility', diff --git a/src/wp-admin/includes/template.php b/src/wp-admin/includes/template.php index 25fb44ad71890..80cf285e71440 100644 --- a/src/wp-admin/includes/template.php +++ b/src/wp-admin/includes/template.php @@ -967,13 +967,17 @@ function parent_dropdown( $default_page = 0, $parent_page = 0, $level = 0, $post * Prints out option HTML elements for role selectors. * * @since 2.1.0 + * @since 6.9.0 Added $editable_roles parameter. * - * @param string $selected Slug for the role that should be already selected. + * @param string $selected Slug for the role that should be already selected. + * @param array $editable_roles Array of roles to include in the dropdown. Defaults to all roles that the current user is allowed to edit. */ -function wp_dropdown_roles( $selected = '' ) { +function wp_dropdown_roles( $selected = '', $editable_roles = null ) { $r = ''; - $editable_roles = array_reverse( get_editable_roles() ); + if ( null === $editable_roles ) { + $editable_roles = array_reverse( get_editable_roles() ); + } foreach ( $editable_roles as $role => $details ) { $name = translate_user_role( $details['name'] ); diff --git a/src/wp-admin/options-general.php b/src/wp-admin/options-general.php index 1e45d653533b3..585b638ee4e24 100644 --- a/src/wp-admin/options-general.php +++ b/src/wp-admin/options-general.php @@ -304,7 +304,27 @@ class="" - + $details ) { + if ( in_array( $role, $excluded_roles, true ) && $role !== $selected ) { + unset( $editable_roles[ $role ] ); + } + } + ?> + From 9288c4a556a9e9da8dbdd977f768b527736c0f4e Mon Sep 17 00:00:00 2001 From: Shail Mehta Date: Tue, 14 Oct 2025 22:14:21 +0530 Subject: [PATCH 2/6] Fix PHPCS Error --- src/wp-admin/options-general.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/wp-admin/options-general.php b/src/wp-admin/options-general.php index 585b638ee4e24..86b6e17c11ea4 100644 --- a/src/wp-admin/options-general.php +++ b/src/wp-admin/options-general.php @@ -304,7 +304,7 @@ class="" - Date: Wed, 28 Jan 2026 21:57:36 +0530 Subject: [PATCH 3/6] Update version number for editable_roles parameter Updated version number for $editable_roles parameter. --- src/wp-admin/includes/template.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/wp-admin/includes/template.php b/src/wp-admin/includes/template.php index 3c7d4bb3c295b..f64ac9adb23c7 100644 --- a/src/wp-admin/includes/template.php +++ b/src/wp-admin/includes/template.php @@ -967,7 +967,7 @@ function parent_dropdown( $default_page = 0, $parent_page = 0, $level = 0, $post * Prints out option HTML elements for role selectors. * * @since 2.1.0 - * @since 6.9.0 Added $editable_roles parameter. + * @since 7.0.0 Added $editable_roles parameter. * * @param string $selected Slug for the role that should be already selected. * @param array $editable_roles Array of roles to include in the dropdown. Defaults to all roles that the current user is allowed to edit. From 9bab0b1eacf304ea892199cbd676467b25f70212 Mon Sep 17 00:00:00 2001 From: Shail Mehta Date: Wed, 28 Jan 2026 22:26:51 +0530 Subject: [PATCH 4/6] Update version number in get_test_insecure_registration --- src/wp-admin/includes/class-wp-site-health.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/wp-admin/includes/class-wp-site-health.php b/src/wp-admin/includes/class-wp-site-health.php index 0138749d58a1a..7d7fe6e7863fa 100644 --- a/src/wp-admin/includes/class-wp-site-health.php +++ b/src/wp-admin/includes/class-wp-site-health.php @@ -1885,7 +1885,7 @@ public function get_test_available_updates_disk_space() { /** * Tests if registration is open to everyone and the default role is privileged. * - * @since 6.9.0 + * @since 7.0.0 * * @return array The test results. */ From 2285a51885827ef2b33d615bda6d3a379cf9a499 Mon Sep 17 00:00:00 2001 From: Shail Mehta Date: Wed, 28 Jan 2026 22:28:08 +0530 Subject: [PATCH 5/6] Update version number in role exclusion filter comment --- src/wp-admin/options-general.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/wp-admin/options-general.php b/src/wp-admin/options-general.php index 44b5a3cd33977..26e65f6640935 100644 --- a/src/wp-admin/options-general.php +++ b/src/wp-admin/options-general.php @@ -308,7 +308,7 @@ class="" /** * Filters the roles to be excluded from the default_role option. * - * @since 6.9.0 + * @since 7.0.0 * * @param array $roles_to_exclude Array of roles to exclude from the dropdown. Defaults to administrator and editor. */ From d63ffe15cf8f59e52f6add8faff14d1cdc10ac25 Mon Sep 17 00:00:00 2001 From: Jb Audras Date: Thu, 19 Feb 2026 08:54:17 +0100 Subject: [PATCH 6/6] Update src/wp-admin/options-general.php Co-authored-by: Huzaifa Al Mesbah --- src/wp-admin/options-general.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/wp-admin/options-general.php b/src/wp-admin/options-general.php index 26e65f6640935..510eb300693d4 100644 --- a/src/wp-admin/options-general.php +++ b/src/wp-admin/options-general.php @@ -310,7 +310,7 @@ class="" * * @since 7.0.0 * - * @param array $roles_to_exclude Array of roles to exclude from the dropdown. Defaults to administrator and editor. + * @param string[] $roles_to_exclude Array of roles to exclude from the dropdown. Defaults to administrator and editor. */ $excluded_roles = (array) apply_filters( 'default_role_dropdown_excluded_roles', array( 'administrator', 'editor' ) );