Freshy resolved a concerning issue where unauthorized WordPress subscriber-level users were able to upload images and potentially create accounts. This case study demonstrates a multi-pronged approach to tightening user permissions, auditing roles, and addressing potential vulnerabilities in plugins and themes.
Issue background
The site had an unusually high number of subscriber accounts, many using free email providers like Gmail and Yahoo. More alarmingly, at least one subscriber was able to upload media—behavior that shouldn’t be allowed under standard WordPress role capabilities. The client was unaware of how these accounts were being created and questioned whether the site had been compromised.
Diagnosis
Freshy began by auditing the site’s user roles and capabilities. Initial testing showed that subscribers should not have upload permissions via the dashboard, indicating the issue might lie with a form or plugin-based file upload method. Additionally:
- A plugin named “Hospital Doctor Directory New” was installed and raised suspicions, but testing revealed it powered critical functionality and could not be removed.
- XML-RPC was enabled, posing a known vulnerability vector.
- Several plugins and the theme (Avada) were out-of-date, including:
- Custom Post Type UI
- Directorist – Business Directory Plugin
- FileBird Pro
- GTranslate
- Slider Revolution
- The Events Calendar
- Wicked Folders
- WP Rocket
- Avada theme itself
Freshy also found a form (likely Gravity Forms) that included a file upload field, which could have allowed media to be uploaded without typical role-based restrictions.
Resolution steps
- User audit and cleanup: The client removed all unknown subscribers and was advised to evaluate all admins and editors for legitimacy, especially those without a site-based email domain.
- Form lockdown: Upload fields were limited to PDF and Word file types, and the number of files per submission was restricted.
- Plugin and theme updates: All out-of-date plugins and the Avada theme were updated. This included patching known vulnerabilities like one found in Avada Fusion Builder version 3.11.14.
- XML-RPC mitigation: Confirmed with the host (Pressable) that XML-RPC access was already mitigated via their WAF (Web Application Firewall).
- Permissions testing: Freshy confirmed that dashboard-based image uploads remained inaccessible to subscribers, confirming that the initial issue likely stemmed from an external form or prior unauthorized admin activity.
Final outcome
With suspicious accounts removed, outdated plugins patched, and form uploads restricted, the site’s user role integrity was restored. Ongoing monitoring and education on WordPress user roles were recommended to avoid similar issues in the future.
If you’re dealing with unexpected account creation or permissions misuse in WordPress, contact Freshy for a security audit and expert resolution.
