What problem does this address?
When users with different privilege levels collaborate on a post, a security concern arises: whoever clicks Save has their capabilities applied server-side. This means a higher-privileged user saving implicitly trusts all content added by lower-privileged collaborators, including potentially unsafe HTML.
Specific exploit scenario: A user with unfiltered_html capability (e.g., Administrator) edits alongside a user without it (e.g., Contributor). The Contributor inserts a malicious payload via the browser console. When the Administrator saves, WordPress applies the Administrator's capabilities to all content — including the Contributor's malicious additions — bypassing the HTML filtering that would normally apply.
What is your proposed solution?
Provide a configurable option (likely a filter or wp-config.php constant) that allows site administrators to restrict collaborative editing sessions to users with the same role or equivalent capability set. This would:
- Not be the default in core — to maximize collaboration accessibility out of the box
- Be available as an opt-in hardening measure for sites with strict security requirements (enterprise, government, etc.)
- Allow configurations like:
- Only same-role users can share a session
- Users with unfiltered_html cannot edit simultaneously with users who don't have it
- Require lower-privileged users to leave the session before higher-privileged users can save
What problem does this address?
When users with different privilege levels collaborate on a post, a security concern arises: whoever clicks Save has their capabilities applied server-side. This means a higher-privileged user saving implicitly trusts all content added by lower-privileged collaborators, including potentially unsafe HTML.
Specific exploit scenario: A user with unfiltered_html capability (e.g., Administrator) edits alongside a user without it (e.g., Contributor). The Contributor inserts a malicious payload via the browser console. When the Administrator saves, WordPress applies the Administrator's capabilities to all content — including the Contributor's malicious additions — bypassing the HTML filtering that would normally apply.
What is your proposed solution?
Provide a configurable option (likely a filter or wp-config.php constant) that allows site administrators to restrict collaborative editing sessions to users with the same role or equivalent capability set. This would: