Skip to content

WP Sudo 4.1.0 — security hardening

Choose a tag to compare

@dknauss dknauss released this 24 Jun 15:33
1a899fc

Security-hardening release. Requires WordPress 6.4+, PHP 8.2+.

  • Gate-completeness fixes (coordinated disclosure; affected versions ≤ 4.0.0): interactive effect-level backstop on admin_init + login-session binding of the sudo proof (#102); REST effect-level backstop for custom routes (#104).
  • Admin-escalation guard (opt-in, default OFF): refuses to grant a new administrator/super-admin without an active sudo session — hooks the capabilities-meta write + grant_super_admin, so it covers REST/AJAX/unauthenticated paths. Filters wp_sudo_guard_escalation / wp_sudo_allow_escalation, constant WP_SUDO_ALLOW_ESCALATION, high-severity wp_sudo_escalation_blocked event. Known limits: runtime user_has_cap/map_meta_cap grants and direct $wpdb writes are not caught (#111).
  • Docs aligned with shipped code (#113); Playground demo link bumped (#114).

Full notes: see CHANGELOG.md (## 4.1.0).