WP Sudo 4.1.0 — security hardening
Security-hardening release. Requires WordPress 6.4+, PHP 8.2+.
- Gate-completeness fixes (coordinated disclosure; affected versions ≤ 4.0.0): interactive effect-level backstop on
admin_init+ login-session binding of the sudo proof (#102); REST effect-level backstop for custom routes (#104). - Admin-escalation guard (opt-in, default OFF): refuses to grant a new administrator/super-admin without an active sudo session — hooks the capabilities-meta write +
grant_super_admin, so it covers REST/AJAX/unauthenticated paths. Filterswp_sudo_guard_escalation/wp_sudo_allow_escalation, constantWP_SUDO_ALLOW_ESCALATION, high-severitywp_sudo_escalation_blockedevent. Known limits: runtimeuser_has_cap/map_meta_capgrants and direct$wpdbwrites are not caught (#111). - Docs aligned with shipped code (#113); Playground demo link bumped (#114).
Full notes: see CHANGELOG.md (## 4.1.0).